View Full Version : I got a Virus
Well I got a virus after never getting a v.i.r.u.s. for years. A bunch of windows started popping up in internet explorer (even though I never use IE, only f.i.r.e.f.o.x.). A.V.G. went on the fritz, I told it to remove everything, rescanned and removed all it found. Downloaded S.p.y.b.o.t. and removed everything it found. I think the v.i.r.u.s. installed something called A.n.i.m.a.l. d.o.c.t.o.r. so I removed all that manually.
Anyway, the v.i.r.u.s. is still here and windows open up randomly. I can't visit any a.n.t.i.v.i.r.u.s. sites (already checked hosts file and nothing). When I g.o.o.g.l.e.d. about the a.n.t.i.v.i.r.u.s. block, every link and cache gets redirected to something else.
Anyway, here is the log. Hope you can help as I'm out of ideas...
About the dots in my post. I wasn't able to post this and was seeing if I could get through by hiding possible things its scanning for. I ended up posting it with a proxy.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:14:34 PM, on 4/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\DOCUME~1\thewird\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\Xzypya.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\DOCUME~1\thewird\LOCALS~1\Temp\Xhg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: 67.159.55.30 torrentfluxtest.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\thewird\Application Data\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\thewird\LOCALS~1\Temp\geurge.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\thewird\LOCALS~1\Temp\Xhg.exe
O4 - HKCU\..\Run: [newupdate1142C.exe] C:\Documents and Settings\thewird\Application Data\1E770E141FD81C1D6BCC6C87E2099085\newupdate1142C.exe
O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\thewird\Application Data\1E770E141FD81C1D6BCC6C87E2099085\newupdate1142C.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Download All By FlashGet3 - C:\Documents and Settings\thewird\Application Data\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download By FlashGet3 - C:\Documents and Settings\thewird\Application Data\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267824444125
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A261070D-6625-473B-ACC7-92A7F6027472}: NameServer = 93.188.165.130,93.188.161.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.130,93.188.161.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.130,93.188.161.147
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: RDM+ - C:\Program Files\RDM+\notify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - Unknown owner - C:\Program Files\RDM+\rdmpserv.exe
--
End of file - 10450 bytes
thewird
Hi and welcome to Safer-Networking Forums, Sorry for the delay in answering your request for help.
We have had more logs than we could handle in a timely manner.
My name is Cypher, and I will be helping you with your malware problems.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
Read Back up your files (http://windows.microsoft.com/en-us/windows7/Back-up-your-files)
please note the following important guidelines.
The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions... if possible...your Internet connection might not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
The logs from the tools we use can take some time to research so please be patient.
If you haven't done so already, please read this topic READ this Procedure BEFORE Requesting Assistance (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.
Please post an Uninstall list.
Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.
Since opening this thread I had some success in removing the malware using multiple tools. My main issue right now (and proof that I'm still infected is) that I can't access windows update and when I google anything virus or windows update related, it redirects me to something else when I click the links. Here is what you requested...
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.3.2
AirRivals_EN 1.0.0.39
AVG Free 9.0
BlackBerry Desktop Software 5.0.1
BlackBerry Desktop Software 5.0.1
Broadcom Gigabit Integrated Controller
BulletProof FTP Client 2009 (remove only)
CloneCD
CloneDVD2
Counter-Strike
CP2101 USB to UART Bridge Controller
Day of Defeat
Dell ResourceCD
DivX Setup
DivX Web Player
FC Edit Universal
FlashGet 3.3
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HxD Hex Editor version 1.7.7.0
I8kfanGUI V3.1
Image Resizer Powertoy for Windows XP
Intel® Solid-State Drive Toolbox
Java(TM) 6 Update 20
K-Lite Codec Pack 5.8.3 (Full)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
NVIDIA Drivers
NVIDIA PhysX
PokerStars
PowerISO
QuickSet
RDM+ 4.1
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Spybot - Search & Destroy
Steam
Synaptics Pointing Device Driver
SyncBackSE
TeraCopy 2.12
TightVNC 1.2.9
Trillian
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
VLC media player 1.0.5
Vuze
WhatPulse 1.6.2.1
WIDCOMM Bluetooth Software
Windows Defender
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)
thewird
Hi thewird.
Since opening this thread I had some success in removing the malware using multiple tools.
Please do not make any other changes to you're system unless i tell you to do so, this will complicate things.
In you're next post please let me know what tools you have run so far.
Remove P2P Programs
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Vuze
Please read the P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Click on start
Then Run
In the open text entry box please copy/paste appwiz.cpl Then click enter.
Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
Next.
I see you have Malwarebytes Anti-Malware: installed.
Launch the application, Check for Updates >> Perform Quick Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Next.
RSIT (Random's System Information Tool)
Please download RSIT (http://images.malwareremoval.com/random/RSIT.exe) by random/random... and save it to your desktop.
Double click on RSIT.exe to run it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)
Logs/Information to Post in your Next Reply
What tools have you run?
Malwarebytes log.
RSIT log.txt file contents and info.txt file contents.
Please give me an update on your computers performance.
You don't have to worry about Vuze. I'm not a newbie when it comes to safe practices online. I usually do virus removal for other people but this is the first virus I was unable to get rid of as I'm not sure what it even is and even all the scanners I used were unable to fully remove it.
I even know where I got the virus from. It was from one the ads on ninjavideo.net . But what gets me is that I was using firefox and did not click yes any alerts, it just happened >_>. Has me pretty baffled but ah well.
As for an update on system performance. Basically I can't access windows update. Certain google searches when clicked redirect to random pages (usually full of ads). Occasionally, a random tab opens in firefox with an ad page as well. Also, my programs occasionally freeze every day or so like Warcraft 3, firefox, and even today my internet stopped working and when I tried to reboot, the computer froze so I had to do a force reboot.
**** To post this message with all these logs, I had to use my other laptop since the connection was reseting in firefox every time I tried to post it. It's like the virus is scanning my internet connection for keywords and kills the connection.
Anyway, the list of all the scanners I used off the top of my head more or less in the order they were run... Also, all scanners were updated on every single run...
AVG Antivirus (was running at time of infection and did set warnings off but didn't stop the infection)
Spybot - Search & Destroy
*had to run something called kill.com (i think) to get malwarebytes installed in safe mode
Malwarebytes
Avast! Antivirus
Windows Live OneCare Scanner
Windows Defender
SuperAntiSpyware (if I remember right, this one wanted me to buy it to remove the threats)
Here is the malwarebytes log... However, I have the logs from when it actually found stuff and removed it if you want me to post those?
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4033
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/25/2010 1:50:29 AM
mbam-log-2010-04-25 (01-50-29).txt
Scan type: Quick scan
Objects scanned: 107822
Time elapsed: 3 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
log.txt ...
Logfile of random's system information tool 1.06 (written by random/random)
Run by thewird at 2010-04-25 02:05:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 65 GB (43%) free of 153 GB
Total RAM: 3326 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:18 AM, on 4/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\DOCUME~1\thewird\LOCALS~1\Temp\clclean.0001
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\thewird\Desktop\RSIT.exe
C:\Program Files\trend micro\thewird.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O1 - Hosts: 67.159.55.30 torrentfluxtest.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\thewird\Application Data\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267824444125
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: RDM+ - C:\Program Files\RDM+\notify.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RDM+ Local Service (RDMPLocalService) - Unknown owner - C:\Program Files\RDM+\rdmpserv.exe
--
End of file - 8873 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Intel_C_CVPO9510015U160AGN.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}]
FlashGetBHO - C:\Documents and Settings\thewird\Application Data\FlashGetBHO\FlashGetBHO3.dll [2009-12-22 157232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-12 79648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
Locked
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-30 13594624]
"nwiz"=nwiz.exe /installquiet []
"NVHotkey"=nvHotkey.dll,Start []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-30 86016]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-03-08 761947]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-04-22 2064736]
"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2009-01-29 57344]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2010-03-10 648536]
"CTSysVol"=C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [2005-10-31 57344]
"MBMon"=Rundll32 CTMBHA.DLL,MBMon []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe [2007-09-11 67488]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-03-05 1135912]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"=C:\Program Files\I8kfanGUI\I8kfanGUI.exe [2007-02-16 856064]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"WhatPulse"=C:\Program Files\WhatPulse\WhatPulse.exe [2009-04-08 2814976]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\DTLite.exe [2009-10-30 369200]
"SetDefaultMIDI"=C:\WINDOWS\MIDIDef.exe [2004-12-22 24576]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\thewird\Start Menu\Programs\Startup
Trillian.lnk - C:\Program Files\Trillian\trillian.exe
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-03-08 12464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RDM+]
C:\Program Files\RDM+\notify.dll [2009-05-29 61440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe"="C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe:*:Enabled:Flashget3"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze"
"C:\Documents and Settings\thewird\Desktop\gproxyplusplus_ptr_windows_1.0\gproxy.exe"="C:\Documents and Settings\thewird\Desktop\gproxyplusplus_ptr_windows_1.0\gproxy.exe:*:Enabled:gproxy"
"C:\Program Files\Trillian\trillian.exe"="C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Program Files\Gameforge4D\AirRivals_EN\Launcher.atm"="C:\Program Files\Gameforge4D\AirRivals_EN\Launcher.atm:Enabled:GameExe2"
"C:\Program Files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe"="C:\Program Files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe:Enabled:GameVoIP"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2010-04-25 02:05:08 ----D---- C:\rsit
2010-04-23 17:14:03 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-04-23 17:12:22 ----D---- C:\Program Files\Windows Defender
2010-04-23 16:59:28 ----D---- C:\Program Files\Alwil Software
2010-04-23 16:59:28 ----D---- C:\Documents and Settings\All Users\Application Data\Alwil Software
2010-04-23 16:54:04 ----D---- C:\Program Files\Common Files\Java
2010-04-23 16:54:04 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-04-23 16:53:59 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-23 16:53:59 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-23 16:53:59 ----A---- C:\WINDOWS\system32\java.exe
2010-04-23 16:53:59 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-04-23 16:46:25 ----A---- C:\TDSSKiller.2.2.8.1_23.04.2010_16.46.25_log.txt
2010-04-23 13:04:04 ----A---- C:\TDSSKiller.2.2.8.1_23.04.2010_13.04.04_log.txt
2010-04-23 12:57:49 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-23 12:57:45 ----D---- C:\Program Files\SUPERAntiSpyware
2010-04-23 12:57:45 ----D---- C:\Documents and Settings\thewird\Application Data\SUPERAntiSpyware.com
2010-04-23 12:41:27 ----D---- C:\Program Files\Windows Live Safety Center
2010-04-21 19:31:07 ----D---- C:\Documents and Settings\thewird\Application Data\Malwarebytes
2010-04-21 19:30:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-21 19:30:59 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-04-21 19:26:50 ----D---- C:\WINDOWS\CSC
2010-04-21 19:20:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-04-21 12:12:56 ----D---- C:\Program Files\Trend Micro
2010-04-21 10:58:18 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-04-21 10:58:18 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 10:15:36 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-21 10:15:31 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-21 10:15:26 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-21 10:15:21 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-21 10:15:17 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-21 10:15:09 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-20 21:01:47 ----D---- C:\spoolerlogs
2010-04-20 00:23:36 ----D---- C:\Program Files\Gameforge4D
2010-04-20 00:23:36 ----A---- C:\WINDOWS\system32\SX5363S.DLL
2010-04-20 00:23:36 ----A---- C:\WINDOWS\system32\Sx5363.ini
2010-04-20 00:23:36 ----A---- C:\WINDOWS\system32\RV32RTP.dll
2010-04-16 16:26:30 ----A---- C:\WINDOWS\system32\xfcodec.dll
2010-04-14 19:36:37 ----D---- C:\Program Files\RDM+
2010-04-09 14:17:50 ----D---- C:\WINDOWS\system32\appmgmt
2010-04-09 14:14:29 ----D---- C:\WINDOWS\Performance
2010-03-30 03:29:54 ----D---- C:\Documents and Settings\thewird\Application Data\DivX
2010-03-30 03:26:10 ----D---- C:\Documents and Settings\All Users\Application Data\DivX
2010-03-26 19:58:56 ----A---- C:\WINDOWS\ntbtlog.txt
======List of files/folders modified in the last 1 months======
2010-04-25 02:05:18 ----D---- C:\WINDOWS\Prefetch
2010-04-25 01:47:37 ----D---- C:\WINDOWS\Temp
2010-04-25 01:37:59 ----D---- C:\WINDOWS\system32
2010-04-25 01:37:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-25 01:33:39 ----SD---- C:\WINDOWS\Tasks
2010-04-24 23:17:12 ----D---- C:\Program Files\Warcraft III
2010-04-24 18:57:24 ----HD---- C:\WINDOWS\inf
2010-04-23 17:54:41 ----D---- C:\Documents and Settings\thewird\Application Data\Xfire
2010-04-23 17:53:45 ----D---- C:\WINDOWS\system32\drivers
2010-04-23 17:12:30 ----SHD---- C:\WINDOWS\Installer
2010-04-23 17:12:30 ----SHD---- C:\Config.Msi
2010-04-23 17:12:22 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-23 17:12:22 ----RD---- C:\Program Files
2010-04-23 16:59:58 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-23 16:59:36 ----D---- C:\WINDOWS\WinSxS
2010-04-23 16:54:04 ----D---- C:\Program Files\Common Files
2010-04-23 16:53:54 ----D---- C:\Program Files\Java
2010-04-23 16:47:29 ----D---- C:\Program Files\Trillian
2010-04-23 16:46:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-23 16:45:41 ----D---- C:\WINDOWS
2010-04-23 16:45:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-23 14:17:11 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-04-23 12:00:02 ----D---- C:\WINDOWS\Registration
2010-04-23 02:02:58 ----D---- C:\Documents and Settings\thewird\Application Data\TeraCopy
2010-04-22 20:42:49 ----D---- C:\Program Files\DivX
2010-04-22 16:28:20 ----D---- C:\Program Files\Xfire
2010-04-22 13:19:26 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-04-22 02:20:44 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-21 19:35:06 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-04-21 12:12:56 ----SD---- C:\Documents and Settings\thewird\Application Data\Microsoft
2010-04-21 10:18:33 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-04-21 10:15:34 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-21 10:15:33 ----A---- C:\WINDOWS\imsins.BAK
2010-04-20 02:37:05 ----D---- C:\Documents and Settings\thewird\Application Data\vlc
2010-04-13 00:48:45 ----D---- C:\Documents and Settings\thewird\Application Data\BITS
2010-04-07 11:03:25 ----D---- C:\Program Files\Mozilla Firefox
2010-04-06 10:52:56 ----A---- C:\WINDOWS\system32\MRT.exe
2010-04-02 06:11:23 ----D---- C:\Program Files\Internet Explorer
2010-04-02 06:11:19 ----D---- C:\WINDOWS\ie8updates
2010-04-01 10:08:20 ----D---- C:\Documents and Settings\thewird\Application Data\Adobe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\vxblock.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxwave.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxsfs.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxmas.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxinsi64.exe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxinsa64.exe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxdrv.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxcpyi64.exe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxcpya64.exe
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\pxafs.dll
2010-03-30 21:58:04 ----N---- C:\WINDOWS\system32\px.dll
2010-03-30 03:29:22 ----D---- C:\Program Files\Common Files\DivX Shared
2010-03-26 20:04:09 ----SH---- C:\boot.ini
2010-03-26 20:04:09 ----A---- C:\WINDOWS\win.ini
2010-03-26 20:04:09 ----A---- C:\WINDOWS\system.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-08 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-08 29512]
R1 AvgTdiX;AVG Free Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-04-22 242896]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2009-12-17 26024]
R1 fanio;FanIO driver; \??\C:\WINDOWS\system32\drivers\fanio.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-11-08 59388]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2006-11-15 32256]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2006-11-14 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2007-06-21 547072]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-03-23 539072]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-03-23 37424]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-03-31 876384]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-01-10 138752]
R3 CTUSFSYN;Creative SoundFont Synthesizer; C:\WINDOWS\system32\drivers\ctusfsyn.sys [2005-05-25 158464]
R3 dfmirage;dfmirage; C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2009-05-29 31896]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-15 34760]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 monfilt;monfilt; C:\WINDOWS\system32\drivers\monfilt.sys [2006-01-04 1389056]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-30 6250848]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2005-01-10 106496]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-13 11904]
R3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-13 11008]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-03-08 191872]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2006-06-14 29184]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 aarngb7m;aarngb7m; C:\WINDOWS\system32\drivers\aarngb7m.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-10-26 142720]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-03-23 149123]
S3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2007-03-31 55352]
S3 btwmodem;Bluetooth Fax Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2007-03-23 37280]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-03-23 67960]
S3 EagleNT;EagleNT; \??\C:\DOCUME~1\thewird\LOCALS~1\Temp\EagleNT.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 slabbus;CP2101 USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-03-11 52384]
S3 slabser;CP210x USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-12-16 89808]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6; C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-03-08 916760]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-08 308064]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-05-17 260968]
R2 Creative Labs Licensing Service;Creative Labs Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe [2010-03-19 69632]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2007-05-14 475136]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-30 168004]
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-03-10 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RDMPLocalService;RDM+ Local Service; C:\Program Files\RDM+\rdmpserv.exe [2010-03-22 813568]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
info.txt ...
info.txt logfile of random's system information tool 1.06 2010-04-25 02:05:19 ======Uninstall list====== -->"C:\Program Files\Creative\SBAudigy\Program\CTZapxx.EXE" ctsbmb.ini /U /N /S /W -->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF} -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{943884D4-B604-496F-B132-DFA9C63FAF6A}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9 /remove -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10f_Plugin.exe -maintain plugin Adobe Photoshop Elements 6.0-->msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250} Adobe Reader 9.3.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001} AirRivals_EN 1.0.0.39-->"C:\Program Files\Gameforge4D\AirRivals_EN\unins000.exe" AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL BlackBerry Desktop Software 5.0.1-->MsiExec.exe /I{CE86E2F5-850C-4207-94A3-A58D647B1733} BlackBerry Desktop Software 5.0.1-->MsiExec.exe /i{CE86E2F5-850C-4207-94A3-A58D647B1733} Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643} BulletProof FTP Client 2009 (remove only)-->"C:\Program Files\BulletProof FTP Client 2009\Uninstall\unins000.exe" CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD" CloneDVD2-->"C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2" Counter-Strike-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10 CP2101 USB to UART Bridge Controller-->C:\WINDOWS\system32\uninstall.exe C:\WINDOWS\system32\uninstall.ini Day of Defeat-->"C:\Program Files\Steam\steam.exe" steam://uninstall/30 Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" DivX Setup-->C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN FC Edit Universal-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\FC Edit Universal\ST6UNST.LOG" FlashGet 3.3-->C:\Program Files\FlashGet Network\FlashGet 3\uninst.exe HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7} Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT="" Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe" Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe" Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe" Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe" HxD Hex Editor version 1.7.7.0-->"C:\Program Files\HxD\unins000.exe" I8kfanGUI V3.1-->"C:\Program Files\I8kfanGUI\uninstall.exe" Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29} Intel® Solid-State Drive Toolbox-->MsiExec.exe /I{E3C5D60C-F25F-4F5D-AABB-B4581CC80150} Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF} K-Lite Codec Pack 5.8.3 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe" Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7} Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF} PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars PowerISO-->"C:\Program Files\PowerISO\uninstall.exe" QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly RDM+ 4.1-->C:\Program Files\RDM+\rdmp_uninstall.exe Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe" Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe" Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe" Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe" Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe" Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe" Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe" Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe" Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe" Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe" Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe" Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe" Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe" Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe" Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe" Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe" Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe" Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe" Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe" Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe" Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe" Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe" Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe" Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe" Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe" Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe" Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe" Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe" Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe" Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe" Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe" Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe" Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe" Security Update for Windows XP (KB977165-v2)-->"C:\WINDOWS\$NtUninstallKB977165-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe" Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe" Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe" Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe" Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe" Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe" Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe" Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe" Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe" Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe" Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe" SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly Sound Blaster ADVANCED MB Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{943884D4-B604-496F-B132-DFA9C63FAF6A}\setup.exe" -l0x9 /remove Sound Blaster Audigy ADVANCED MB-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}\SETUP.EXE" -l0x9 /remove Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall SyncBackSE-->"C:\Program Files\2BrightSparks\SyncBackSE\unins000.exe" TeraCopy 2.12-->"C:\Program Files\TeraCopy\unins000.exe" TightVNC 1.2.9-->"C:\Program Files\TightVNC\unins000.exe" Trillian-->C:\Program Files\Trillian\Trillian.exe /uninstall Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT="" Update for Microsoft Windows (KB971513)-->"C:\WINDOWS\$NtUninstallKB971513$\spuninst\spuninst.exe" Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe" Update for Windows Internet Explorer 8 (KB978506)-->"C:\WINDOWS\ie8updates\KB978506-IE8\spuninst\spuninst.exe" Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe" Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe" Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe" Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe" Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe" Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe" Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe" VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421} Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F} VLC media player 1.0.5-->C:\Program Files\VideoLAN\VLC\uninstall.exe Vuze-->C:\Program Files\Vuze\uninstall.exe WhatPulse 1.6.2.1-->C:\Program Files\WhatPulse\uninst.exe WIDCOMM Bluetooth Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6} Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\dpinst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\4569969E1360D2854474C661EF9B4D54F143EB16 Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe" Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe" ======Hosts File====== 67.159.55.30 torrentfluxtest.com 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com ======Security center information====== AV: AVG Anti-Virus Free ======System event log====== Computer Name: THEWIRD-4B16345 Event Code: 20 Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll. Record Number: 212 Source Name: Print Time Written: 20100305170938.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 20 Message: Printer Driver hp deskjet 940c for Windows NT x86 Version-3 was added or updated. Files:- (null). Record Number: 94 Source Name: Print Time Written: 20100305164816.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 1073 Message: The attempt to reboot THEWIRD-4B16345 failed Record Number: 50 Source Name: USER32 Time Written: 20100305162244.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 2504 Message: The server could not bind to the transport \Device\NetBT_Tcpip_{A261070D-6625-473B-ACC7-92A7F6027472}. Record Number: 34 Source Name: Server Time Written: 20100305161940.000000-300 Event Type: warning User: Computer Name: THEWIRD-4B16345 Event Code: 20 Message: Printer Driver hp deskjet 940c for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPFDJ940.GPD, UNIDRV.HLP, HPFUD50.DLL, UNIRES.DLL, HPFDJ50.INI, HPFUI50.DLL, HPFIMG50.DLL, HPF940AL.DLL, HPFDJ94X.GPD, HPFDJ200.HLP, HPFNAM50.GPD, STDNAMES.GPD. Record Number: 31 Source Name: Print Time Written: 20100305161744.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM =====Application event log===== Computer Name: THEWIRD-4B16345 Event Code: 5603 Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality. Record Number: 18 Source Name: WinMgmt Time Written: 20100305161044.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 5603 Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality. Record Number: 17 Source Name: WinMgmt Time Written: 20100305161044.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 63 Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Record Number: 13 Source Name: WinMgmt Time Written: 20100305160853.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 63 Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Record Number: 12 Source Name: WinMgmt Time Written: 20100305160853.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM Computer Name: THEWIRD-4B16345 Event Code: 63 Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Record Number: 11 Source Name: WinMgmt Time Written: 20100305160852.000000-300 Event Type: warning User: NT AUTHORITY\SYSTEM ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel "PROCESSOR_REVISION"=0f06 "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP -----------------EOF-----------------
thewird
Hi thewird.
Please don't post the logs with Quote in you're replies.
I have the logs from when it actually found stuff and removed it if you want me to post those
I see you have run TDSSKiller also so post the logs from those scans plus the last couple of malwarebytes logs where anything was removed.
The TDSSKiller logs are at C:\TDSSKiller.
Please Download LockSearch (http://jpshortstuff.247fixes.com/LockSearch.exe) to your desktop.
A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply.
Next.
Disable Windows Defender
Go to Start > All Programs > Windows Defender.
Click on Tools at the top.
Under Settings, click on Options.
Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
Click on the Save button at the bottom right hand corner.
Note: Please do not Re-enabling this until i tell you to do so.
Next.
Please download GMER Rootkit Scanner from Here (http://www.gmer.net/download.php).
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All << (don't miss this one)
See image below, Click the image to enlarge it
http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.
Logs/Information to Post in your Next Reply
TDSSkiller and MBAM logs.
LockSearch log.
Gmer.txt log.
*** For some reason my computer didn't like your GMER program. It would keep freezing and I had to run it quite a few times to get the log.
LockSearch by jpshortstuff (05.11.09.1)
Log created at 12:54 on 25/04/2010 (thewird)
Scanning C:\
C:\pagefile.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys [Unable to get md5 : 691696 bytes]
-=E.O.F=-
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4019
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
4/21/2010 7:34:30 PM
mbam-log-2010-04-21 (19-34-30).txt
Scan type: Quick scan
Objects scanned: 110736
Time elapsed: 2 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.CodecPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newupdate1142c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewrgetuj (Worm.Prolaco.M) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\thewird\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\thewird\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\thewird\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Local Settings\Temp\wanmescxor.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Local Settings\Temp\Xhg.exe (Trojan.CodecPack) -> Quarantined and deleted successfully.
C:\WINDOWS\Xzypya.exe (Trojan.CodecPack) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Local Settings\Temp\Xhf.exe (Trojan.CodecPack) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\thewird\Local Settings\Temp\mxwscroena.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000908.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4019
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/22/2010 12:11:56 PM
mbam-log-2010-04-22 (12-11-56).txt
Scan type: Full scan (C:\|)
Objects scanned: 307801
Time elapsed: 1 hour(s), 10 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{11C412CE-C0D1-4EEC-B786-F684F8727C5A}\RP119\A0014344.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11C412CE-C0D1-4EEC-B786-F684F8727C5A}\RP127\A0015899.exe (Trojan.CodecPack) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 14:29:35
Windows 5.1.2600 Service Pack 3
Running: tm714v9p.exe; Driver: C:\DOCUME~1\thewird\LOCALS~1\Temp\kgwirpog.sys
---- System - GMER 1.0.15 ----
SSDT spkt.sys ZwCreateKey [0xB7EB50E0]
SSDT spkt.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spkt.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spkt.sys ZwOpenKey [0xB7EB50C0]
SSDT spkt.sys ZwQueryKey [0xB7ECE20A]
SSDT spkt.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spkt.sys ZwSetValueKey [0xB7ECE29C]
INT 0x62 ? 8A698BF8
INT 0x74 ? 8A707BF8
INT 0x82 ? 8A698BF8
INT 0x84 ? 8A707BF8
INT 0x94 ? 8A707BF8
---- Kernel code sections - GMER 1.0.15 ----
? spkt.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C8F360, 0x33AACD, 0xE8000020]
.text USBPORT.SYS!DllUnload B6BC18AC 5 Bytes JMP 8A7071D8
.text amq3q81e.SYS B6AA5386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text amq3q81e.SYS B6AA53AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text amq3q81e.SYS B6AA53C4 3 Bytes [00, 80, 02]
.text amq3q81e.SYS B6AA53C9 1 Byte [30]
.text amq3q81e.SYS B6AA53C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB469C280]
.rsrc C:\WINDOWS\System32\drivers\afd.sys entry point in ".rsrc" section [0xB4479C94]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\Program Files\Xfire\Xfire.exe[2172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 039F0136 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 039EFADA C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 039EF552 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 039EF4B7 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 039EF423 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 039EFC25 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 039EFD73 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 039EFB81 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!InvalidateRect 7E428FD5 5 Bytes JMP 039EF69A C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 039EF38F C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 039EF86E C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 039EF906 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!RedrawWindow 7E429944 5 Bytes JMP 039EF9A1 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 039EFCC9 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!IsWindowVisible 7E429E3D 7 Bytes JMP 039EFEC4 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!SetFocus 7E42B112 5 Bytes JMP 039EF602 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!SetCapture 7E42C35E 5 Bytes JMP 039EF7D6 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!InvalidateRgn 7E42CDFE 5 Bytes JMP 039EF738 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 039EFE0B C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!RegisterClassA 7E42EA5E 5 Bytes JMP 039EFA42 C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Xfire\Xfire.exe[2172] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 039F008C C:\Program Files\Xfire\xfire_toucan_42424.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[3588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[3588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[3588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A7061F8
Device \FileSystem\Fastfat \FatCdrom 8A178500
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8A3C0500
Device \Driver\usbuhci \Device\USBPDO-1 8A3C0500
Device \Driver\usbuhci \Device\USBPDO-2 8A3C0500
Device \Driver\usbehci \Device\USBPDO-3 8A3BF500
Device \Driver\PCI_PNP6330 \Device\00000055 spkt.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7081F8
Device \Driver\Cdrom \Device\CdRom0 8A44B1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A44B1F8
Device \Driver\sptd \Device\2810281330 spkt.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A13E500
Device \Driver\NetBT \Device\NetBT_Tcpip_{A261070D-6625-473B-ACC7-92A7F6027472} 8A13E500
Device \Driver\NetBT \Device\NetbiosSmb 8A13E500
Device \Driver\USBSTOR \Device\00000092 8A1711F8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 8A3C0500
Device \Driver\usbuhci \Device\USBFDO-1 8A3C0500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A15F1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A3C0500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A15F1F8
Device \Driver\usbehci \Device\USBFDO-3 8A3BF500
Device \Driver\Ftdisk \Device\FtControl 8A7081F8
Device \Driver\amq3q81e \Device\Scsi\amq3q81e1Port2Path0Target0Lun0 8A33A1F8
Device \Driver\amq3q81e \Device\Scsi\amq3q81e1 8A33A1F8
Device \FileSystem\Fastfat \Fat 8A178500
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 897001F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 898D4AC8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA5 0xD7 0x28 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x48 0x04 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6D 0x33 0xB9 0xCE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA5 0xD7 0x28 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x48 0x04 0x1F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6D 0x33 0xB9 0xCE ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\System32\drivers\afd.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Hi thewird.
For some reason my computer didn't like your GMER program.
Unfortunately Gmer will cause some problems on some systems.
We are getting somewhere now please continue with the instructions below.
Back Up registry with ERUNT
Please use the following link and download ERUNT to your desktop. HERE (http://www.derfisch.de/lars/erunt-setup.exe)
Click on the erunt-setup.exe
Follow the prompts to install ERUNT
Choose language
A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
http://i219.photobucket.com/albums/cc99/BioHazard_030/erunt.png
Backup your registry to the default location
Note: To restore your registry (if needed), go to the folder and start ERDNT.exe
Next
Download and Run ComboFix
Please download ComboFix from one of the following links.
Link 1. (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2. (http://www.forospyware.com/sUBs/ComboFix.exe)
**IMPORTANT !!! Save ComboFix.exe to your Desktop**
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Double click on ComboFix.exe & follow the prompts
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Consolehttp://img.photobucket.com/albums/v666/sUBs/Query_RC.gif
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Logs/Information to Post in your Next Reply
ComboFix log.
Please give me an update on your computers performance.
All my mentioned problems seem to have gone away. I can now access windows update and its no longer intercepting my google searches related to virus's or blocking post requests with certain keywords (i tried posting the same post I had issues with earlier). Seems its gone as far as I can tell but its only been a short while.
I noticed got rid of my Flashget. Did it do this accurately? I never thought that would be the cause of anything and have used Flashget for years. Although I've only been using version 3 since I reinstalled on my new drive ~2 months ago.
ComboFix 10-04-21.01 - thewird 04/25/2010 15:16:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2689 [GMT -4:00]
Running from: c:\documents and settings\thewird\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\thewird\LOCALS~1\Temp\clclean.0001.dir.0011\~df394b.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\thewird\Application Data\BITS
c:\documents and settings\thewird\Application Data\BITS\BITS.ini
c:\documents and settings\thewird\Application Data\BITS\DHTTable.dat
c:\documents and settings\thewird\Application Data\BITS\ProxyList.ini
c:\documents and settings\thewird\Application Data\BITS\UPnP.ini
c:\documents and settings\thewird\Application Data\FlashGetBHO
c:\documents and settings\thewird\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\thewird\Application Data\FlashGetBHO\FlashGetHook.dll
c:\documents and settings\thewird\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\thewird\Application Data\FlashGetBHO\GetUrl.htm
c:\documents and settings\thewird\Local Settings\Temp\clclean.0001.dir.0011\~df394b.tmp
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet 3\adns.dll
c:\program files\FlashGet Network\FlashGet 3\btcoreu.dll
c:\program files\FlashGet Network\FlashGet 3\BugReport.dll
c:\program files\FlashGet Network\FlashGet 3\BugReport.exe
c:\program files\FlashGet Network\FlashGet 3\cd1.ico
c:\program files\FlashGet Network\FlashGet 3\ckcore.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\14_43260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\28_83260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\atrc.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\Codecs.zip
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\cook.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\ddnt3260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\dnet3260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drv1.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drv2.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drvc.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\hxltcolor.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\raac.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\ralf.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv10.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv20.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv30.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv40.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\sipr.dll
c:\program files\FlashGet Network\FlashGet 3\commonlib.dll
c:\program files\FlashGet Network\FlashGet 3\componentskrnl.dll
c:\program files\FlashGet Network\FlashGet 3\config\clients.met
c:\program files\FlashGet Network\FlashGet 3\config\clients.met.bak
c:\program files\FlashGet Network\FlashGet 3\config\cryptkey.dat
c:\program files\FlashGet Network\FlashGet 3\config\emfriends.met
c:\program files\FlashGet Network\FlashGet 3\config\known.met
c:\program files\FlashGet Network\FlashGet 3\config\known2_64.met
c:\program files\FlashGet Network\FlashGet 3\config\preferences.dat
c:\program files\FlashGet Network\FlashGet 3\config\preferences.ini
c:\program files\FlashGet Network\FlashGet 3\config\server.met
c:\program files\FlashGet Network\FlashGet 3\config\server_met.old
c:\program files\FlashGet Network\FlashGet 3\config\upload.met
c:\program files\FlashGet Network\FlashGet 3\corestat.dll
c:\program files\FlashGet Network\FlashGet 3\dat\Appsetting.cfg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_33665566.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_4-L.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_5-04400194A.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_5_4504_1.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_csqyz010315.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon01.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon03.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_icon04.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_leifeng12.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_logo.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_paidangzhentan12.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\client_WuBiaoTi-2.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\dian.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\directui_new_1270777588.zip
c:\program files\FlashGet Network\FlashGet 3\dat\directui\gameall.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\gametop.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\newgame.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\newmovie.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p1.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p2.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p3.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p4.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p5.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p6.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p7.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\p8.gif
c:\program files\FlashGet Network\FlashGet 3\dat\directui\reom.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\rescenter.txt
c:\program files\FlashGet Network\FlashGet 3\dat\directui\soft.jpg
c:\program files\FlashGet Network\FlashGet 3\dat\directui\tab.gif
c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.bak
c:\program files\FlashGet Network\FlashGet 3\dat\FlashGet3db.db
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\domain_url_list_en.zip
c:\program files\FlashGet Network\FlashGet 3\dat\stat\advertisement\port.ini
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_blue.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_classic.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\skinpreview\preview_white.png
c:\program files\FlashGet Network\FlashGet 3\dat\stat\statdata\statinfo.dat
c:\program files\FlashGet Network\FlashGet 3\dbghelp.dll
c:\program files\FlashGet Network\FlashGet 3\fg.ico
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\default.htm
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\FGResDetector.conf
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\banner.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\bullet.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\close.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\closelabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\download-icon.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\explorer.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\ftp.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\image.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\introTextBg.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\loading.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\nextlabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\prevlabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\software.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\vod.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\FGResDetector.exe
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\about.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\ftplist_tree_icon.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\option_icon.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\quickop_hide.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\quickop_show.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\statusbar_bk.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\tasktab_close.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_back.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_bk.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_close.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_forward.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_refresh.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\lang\l.eng.xml
c:\program files\FlashGet Network\FlashGet 3\FGSoftware.exe
c:\program files\FlashGet Network\FlashGet 3\Flashget3.exe
c:\program files\FlashGet Network\FlashGet 3\FlashGet3.xpi
c:\program files\FlashGet Network\FlashGet 3\FlashGetBHO3.dll
c:\program files\FlashGet Network\FlashGet 3\FlashGetHook.dll
c:\program files\FlashGet Network\FlashGet 3\fnsArchive.dll
c:\program files\FlashGet Network\FlashGet 3\fnsDirectuix.dll
c:\program files\FlashGet Network\FlashGet 3\fnsLanguage.dll
c:\program files\FlashGet Network\FlashGet 3\fnslanguage_en.dll
c:\program files\FlashGet Network\FlashGet 3\fnsScheduler.dll
c:\program files\FlashGet Network\FlashGet 3\fnsSecurity.dll
c:\program files\FlashGet Network\FlashGet 3\fnsSkinX.dll
c:\program files\FlashGet Network\FlashGet 3\fnsStatistics.dll
c:\program files\FlashGet Network\FlashGet 3\game.ico
c:\program files\FlashGet Network\FlashGet 3\gb2312-unicode.dic
c:\program files\FlashGet Network\FlashGet 3\gdiplus.dll
c:\program files\FlashGet Network\FlashGet 3\GetAllUrl.htm
c:\program files\FlashGet Network\FlashGet 3\GetUrl.htm
c:\program files\FlashGet Network\FlashGet 3\GoogleToolbarInstaller_download_signed.exe
c:\program files\FlashGet Network\FlashGet 3\libem.dll
c:\program files\FlashGet Network\FlashGet 3\license.txt
c:\program files\FlashGet Network\FlashGet 3\lst_tz.bin
c:\program files\FlashGet Network\FlashGet 3\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet 3\p2pcore.dll
c:\program files\FlashGet Network\FlashGet 3\p2score.dll
c:\program files\FlashGet Network\FlashGet 3\perf.ini
c:\program files\FlashGet Network\FlashGet 3\pncrt.dll
c:\program files\FlashGet Network\FlashGet 3\pstat.dat
c:\program files\FlashGet Network\FlashGet 3\pup.dat
c:\program files\FlashGet Network\FlashGet 3\RdOldDb.dll
c:\program files\FlashGet Network\FlashGet 3\RealMediaSplitter.ax
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\BarSet.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_check.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_normal.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_radio.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\desktoplink.ico
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\login_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\menu_icon.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\option_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\option_page_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\skin.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\SuspendLogo.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\SuspendNoLogo.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_backgrand.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_cancle.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_catgroy.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_group.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_new.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_open.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_option.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_pause.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_recly.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_start.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_left.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_middle.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_right.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\top_logotitle.gif
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\torrent.ico
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\userinfo_head.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\VistaStyleListItems.bmp
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\preview.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\skin.xml
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\loginfailed.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\loginsucc.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\msgnotify.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\notify.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\topmain.png
c:\program files\FlashGet Network\FlashGet 3\SnapShot.dll
c:\program files\FlashGet Network\FlashGet 3\storage.dll
c:\program files\FlashGet Network\FlashGet 3\SysOptimize.exe
c:\program files\FlashGet Network\FlashGet 3\uninst.exe
c:\program files\FlashGet Network\FlashGet 3\VodCore.dll
c:\program files\FlashGet Network\FlashGet 3\zlib.dll
c:\program files\Internet Explorer\SET21C.tmp
c:\program files\Internet Explorer\SET21D.tmp
c:\windows\system32\Data
c:\windows\system32\drivers\1028_DELL_XPS_MXG061 .MRK
c:\windows\system32\drivers\DELL_XPS_MXG061 .MRK
c:\windows\system32\secustat.dat
c:\windows\system32\uninstall.exe
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.
2010-04-25 19:02 . 2010-04-25 19:02 -------- d-----w- c:\program files\ERUNT
2010-04-25 06:05 . 2010-04-25 06:05 -------- d-----w- C:\rsit
2010-04-23 21:14 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 21:12 . 2010-04-23 21:12 -------- d-----w- c:\program files\Windows Defender
2010-04-23 20:59 . 2010-04-23 20:59 -------- d-----w- c:\program files\Alwil Software
2010-04-23 20:59 . 2010-04-23 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-23 20:54 . 2010-04-23 20:54 503808 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\msvcp71.dll
2010-04-23 20:54 . 2010-04-23 20:54 499712 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\jmc.dll
2010-04-23 20:54 . 2010-04-23 20:54 348160 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\msvcr71.dll
2010-04-23 20:54 . 2010-04-23 20:54 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 20:54 . 2010-04-23 20:54 61440 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42356531-n\decora-sse.dll
2010-04-23 20:54 . 2010-04-23 20:54 12800 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42356531-n\decora-d3d.dll
2010-04-23 20:53 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 16:57 . 2010-04-23 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-23 16:57 . 2010-04-23 18:17 -------- d-----w- c:\documents and settings\thewird\Application Data\SUPERAntiSpyware.com
2010-04-23 16:57 . 2010-04-23 18:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-23 16:41 . 2010-04-23 16:52 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-22 13:03 . 2010-04-22 13:03 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-22 13:02 . 2010-04-22 13:02 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-22 00:44 . 2010-04-22 00:44 -------- d-----w- c:\documents and settings\thewird\Local Settings\Application Data\Threat Expert
2010-04-21 23:31 . 2010-04-21 23:31 -------- d-----w- c:\documents and settings\thewird\Application Data\Malwarebytes
2010-04-21 23:31 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 23:30 . 2010-04-21 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 23:30 . 2010-04-21 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-21 23:30 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 23:20 . 2010-04-22 17:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-21 16:12 . 2010-04-25 06:05 -------- d-----w- c:\program files\Trend Micro
2010-04-21 16:12 . 2010-04-21 16:12 388096 ----a-r- c:\documents and settings\thewird\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-21 16:07 . 2010-04-21 16:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-21 14:58 . 2010-04-23 07:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 14:58 . 2010-04-21 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 01:01 . 2010-04-21 01:01 -------- d-----w- C:\spoolerlogs
2010-04-21 00:47 . 2010-04-21 00:47 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-21 00:47 . 2010-04-21 00:47 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-20 04:23 . 2010-04-20 04:23 -------- d-----w- c:\program files\Gameforge4D
2010-04-20 04:23 . 2004-05-10 16:14 118272 ----a-w- c:\windows\system32\SX5363S.DLL
2010-04-20 04:23 . 2004-05-10 16:14 102400 ----a-w- c:\windows\system32\RV32RTP.dll
2010-04-19 22:33 . 2010-04-19 22:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 13:35 . 2010-04-21 00:47 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-19 13:32 . 2010-04-19 13:32 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-19 13:29 . 2010-04-21 00:46 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-14 23:36 . 2010-04-14 23:37 -------- d-----w- c:\program files\RDM+
2010-04-09 18:14 . 2010-04-09 18:14 -------- d-----w- c:\windows\Performance
2010-04-09 18:14 . 2010-04-09 18:14 -------- d-----w- c:\documents and settings\thewird\Local Settings\Application Data\Microsoft Corporation
2010-04-08 13:30 . 2010-04-08 13:30 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-02 12:08 . 2010-04-02 12:08 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-02 12:08 . 2010-04-02 12:08 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-02 12:08 . 2010-04-02 12:08 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-02 12:08 . 2010-04-02 12:08 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-02 12:08 . 2010-04-02 12:08 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-02 12:08 . 2010-04-02 12:08 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-02 12:08 . 2010-04-02 12:08 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-02 12:08 . 2010-04-02 12:08 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-02 12:08 . 2010-04-02 12:08 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-02 12:08 . 2010-04-02 12:08 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-02 12:08 . 2010-04-02 12:08 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-30 07:29 . 2010-04-21 00:46 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-03-30 07:29 . 2010-04-21 00:46 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-30 07:29 . 2010-03-06 13:20 500400 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe
2010-03-30 07:29 . 2010-03-30 07:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 -------- d-----w- c:\documents and settings\thewird\Application Data\DivX
2010-03-30 07:29 . 2010-03-30 07:29 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-30 07:26 . 2010-04-21 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 19:03 . 2010-03-05 22:08 -------- d-----w- c:\program files\Trillian
2010-04-25 08:17 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-04-25 07:56 . 2010-03-05 21:42 -------- d-----w- c:\program files\Warcraft III
2010-04-25 05:33 . 2010-03-05 21:25 89917 ----a-w- c:\windows\system32\nvModes.dat
2010-04-23 21:54 . 2010-03-06 02:49 -------- d-----w- c:\documents and settings\thewird\Application Data\Xfire
2010-04-23 20:53 . 2010-03-06 11:54 -------- d-----w- c:\program files\Java
2010-04-23 20:47 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-23 18:17 . 2010-03-05 21:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 06:02 . 2010-03-05 23:16 -------- d-----w- c:\documents and settings\thewird\Application Data\TeraCopy
2010-04-23 00:42 . 2010-03-06 12:04 -------- d-----w- c:\program files\DivX
2010-04-22 20:28 . 2010-03-06 02:49 -------- d-----w- c:\program files\Xfire
2010-04-22 13:03 . 2010-03-08 13:05 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 20:29 . 2010-03-05 21:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 14:18 . 2010-03-08 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-20 06:37 . 2010-03-12 16:52 -------- d-----w- c:\documents and settings\thewird\Application Data\vlc
2010-04-13 12:40 . 2009-10-27 10:36 181096 ----a-w- c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\FlashGot.exe
2010-04-13 04:47 . 2010-03-06 14:18 1477 ----a-w- c:\windows\system32\secushr.dat
2010-03-31 01:58 . 2010-03-10 17:29 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-31 01:58 . 2010-03-10 17:29 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-31 01:58 . 2010-03-10 17:29 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-31 01:58 . 2010-03-10 17:29 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2010-03-10 17:29 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2010-03-10 17:29 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-30 07:29 . 2010-03-06 13:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-26 03:17 . 2010-03-26 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-26 01:30 . 2010-03-26 01:30 -------- d-----w- c:\documents and settings\thewird\Application Data\Mael
2010-03-26 01:21 . 2010-03-26 01:21 -------- d-----w- c:\program files\HxD
2010-03-23 23:54 . 2010-03-12 16:52 -------- d-----w- c:\documents and settings\thewird\Application Data\dvdcss
2010-03-23 19:25 . 2010-03-05 21:27 72800 ----a-w- c:\documents and settings\thewird\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 19:24 . 2010-03-23 19:24 -------- d-----w- c:\program files\Common Files\L&H
2010-03-23 19:23 . 2010-03-23 19:23 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-23 19:23 . 2010-03-23 19:23 -------- d-----w- c:\program files\Microsoft Works
2010-03-23 19:21 . 2010-03-23 19:21 -------- d-----w- c:\program files\Microsoft.NET
2010-03-23 07:02 . 2010-03-06 21:39 -------- d-----w- c:\program files\PokerStars
2010-03-19 11:38 . 2010-03-19 11:35 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-19 06:07 . 2010-03-19 06:07 -------- d-----w- c:\program files\WIDCOMM
2010-03-19 04:46 . 2010-03-05 22:23 -------- d-----w- c:\program files\Creative
2010-03-19 04:46 . 2010-03-05 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-19 04:30 . 2010-03-19 04:30 -------- d-----w- c:\documents and settings\thewird\Application Data\Creative
2010-03-19 04:09 . 2010-03-19 04:09 -------- d-----w- c:\program files\SigmaTel
2010-03-19 04:02 . 2010-03-19 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Labs
2010-03-19 04:01 . 2010-03-19 04:01 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-03-18 10:19 . 2010-03-18 00:52 256 ----a-w- c:\windows\system32\pool.bin
2010-03-18 07:34 . 2010-03-06 14:25 -------- d-----w- c:\program files\Steam
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\documents and settings\thewird\Application Data\Research In Motion
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Research In Motion
2010-03-15 04:38 . 2010-03-15 04:37 -------- d-----w- c:\program files\BulletProof FTP Client 2009
2010-03-14 23:56 . 2010-03-14 22:28 -------- d-----w- c:\documents and settings\thewird\Application Data\Azureus
2010-03-14 22:28 . 2010-03-14 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-14 22:27 . 2010-03-14 22:27 -------- d-----w- c:\program files\Vuze
2010-03-14 18:00 . 2010-03-19 11:35 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-12 16:50 . 2010-03-12 16:50 -------- d-----w- c:\program files\VideoLAN
2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Elaborate Bytes
2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-03-12 16:25 . 2010-03-12 16:25 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-12 16:25 . 2010-03-12 16:25 -------- d-----w- c:\program files\SlySoft
2010-03-12 02:13 . 2010-03-12 02:13 -------- d-----w- c:\documents and settings\thewird\Application Data\XenSource
2010-03-11 20:36 . 2010-03-05 21:46 77606 ----a-w- c:\windows\War3Unin.dat
2010-03-10 18:04 . 2010-03-10 18:02 -------- d-----w- c:\documents and settings\thewird\Application Data\Canon
2010-03-10 17:36 . 2010-03-10 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-10 17:35 . 2010-03-10 17:35 -------- d-----w- c:\program files\2BrightSparks
2010-03-10 17:31 . 2010-03-07 17:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-10 17:31 . 2010-03-10 17:31 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-10 17:11 . 2010-03-10 17:11 -------- d-----w- c:\program files\PowerISO
2010-03-10 16:47 . 2010-03-10 16:15 -------- d-----w- c:\documents and settings\thewird\Application Data\DAEMON Tools Lite
2010-03-10 16:45 . 2010-03-10 16:16 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-10 16:16 . 2010-03-10 16:16 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-10 16:15 . 2010-03-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-10 16:08 . 2010-03-10 16:06 -------- d-----w- c:\program files\FC Edit Universal
2010-03-10 16:06 . 2010-03-10 16:04 249856 ------w- c:\windows\Setup1.exe
2010-03-10 16:06 . 2010-03-10 16:04 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 04:38 . 2010-03-06 01:16 -------- d-----w- c:\documents and settings\thewird\Application Data\Ventrilo
2010-03-08 13:05 . 2010-03-08 13:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-08 13:05 . 2010-03-08 13:05 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-08 13:05 . 2010-03-08 13:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 13:05 . 2010-03-08 13:05 -------- d-----w- c:\program files\AVG
2010-03-07 11:09 . 2010-03-07 11:09 -------- d-----w- c:\program files\TightVNC
2010-03-06 14:17 . 2010-03-06 14:17 -------- d-----w- c:\documents and settings\thewird\Application Data\FlashGet
2010-03-06 13:06 . 2010-03-06 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 12:56 . 2010-03-06 12:56 152576 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-06 12:56 . 2010-03-06 12:56 79488 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-06 11:54 . 2010-03-06 11:54 152576 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-06 10:51 . 2010-03-06 10:51 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-06 10:28 . 2010-03-05 22:24 -------- d-----w- c:\program files\Intel
2010-03-06 03:17 . 2010-03-06 03:16 -------- d-----w- c:\documents and settings\thewird\Application Data\WhatPulse
2010-03-06 03:17 . 2010-03-06 03:16 -------- d-----w- c:\program files\WhatPulse
2010-03-06 03:12 . 2010-03-06 03:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2010-03-06 03:09 . 2010-03-06 03:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-03-06 01:16 . 2010-03-06 01:16 -------- d-----w- c:\program files\Ventrilo
2010-03-06 00:26 . 2007-08-11 00:57 -------- d-----w- c:\program files\XenSource
2010-03-05 23:16 . 2010-03-05 23:16 -------- d-----w- c:\program files\TeraCopy
2010-03-05 22:39 . 2010-03-05 22:06 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-05 22:29 . 2010-03-05 22:29 -------- d-----w- c:\program files\I8kfanGUI
2010-03-05 22:26 . 2010-03-05 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-03-05 22:26 . 2010-03-05 22:23 -------- d-----w- c:\program files\Dell
2010-03-05 22:25 . 2010-03-05 22:25 -------- d-----w- c:\program files\DIFX
2010-03-05 22:23 . 2010-03-05 22:23 -------- d-----w- c:\documents and settings\thewird\Application Data\InstallShield
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-04-08 2814976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" [2009-01-30 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-01-04 1355181]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
c:\documents and settings\thewird\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-2-10 1930592]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-4-16 3438992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-08 13:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RDM+]
2009-05-29 11:30 61440 ----a-w- c:\program files\RDM+\notify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Documents and Settings\\thewird\\Desktop\\gproxyplusplus_ptr_windows_1.0\\gproxy.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Gameforge4D\AirRivals_EN\Launcher.atm"= c:\program files\Gameforge4D\AirRivals_EN\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\WINDOWS\\system32\\spoolsv.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2010 9:05 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2010 9:05 AM 242896]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [3/5/2010 6:29 PM 14464]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/8/2010 9:05 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/8/2010 9:05 AM 308064]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [5/29/2009 7:31 AM 31896]
S0 tmucil;tmucil; [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 RDMPLocalService;RDM+ Local Service;c:\program files\RDM+\rdmpserv.exe [3/22/2010 2:19 AM 813568]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/10/2010 12:16 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
Trusted Zone: live.com\onecare
FF - ProfilePath - c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&p=
FF - component: c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashgetXpi.dll
FF - plugin: c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
AddRemove-FlashGet 3.3 - c:\program files\FlashGet Network\FlashGet 3\uninst.exe
AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\RDM+\notify.dll
.
Completion time: 2010-04-25 15:20:02
ComboFix-quarantined-files.txt 2010-04-25 19:20
Pre-Run: 68,578,779,136 bytes free
Post-Run: 69,148,110,848 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 972BB74F9F9E3D556A274FDFA7B023AC
Hi thewird.
I noticed got rid of my Flashget. Did it do this accurately
Possibly a false deletion by ComboFix if you wish you can reinstall it once you're system is clean.
You have a TDL3 rootkit infection so stay with me we have more work to do.
Disable AVG9
Open AVG User Interface.
Double-click on the Resident Shield.
Un-tick the option Resident Shield active.
Save the changes.
Note: Don't forget to re-enable it after the fix.
Next.
ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
Suspect::
C:\WINDOWS\system32\drivers\aarngb7m.sys
File::
C:\WINDOWS\tasks\Intel_C_CVPO9510015U160AGN.job
Folder::
C:\Program Files\Vuze
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Vuze\Azureus.exe"=-
FCOPY::
c:\windows\ServicePackFiles\i386\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
*Only* when the 2 items above (Step 3) have been taken care of...
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.
Logs/Information to Post in your Next Reply
ComboFix log.
Please give me an update on your computers performance.
Was it really necessary to remove my Vuze? I have been using Vuze (formally known as Azureus for the past 4-5 years) and it is a commonly used bittorrent program. Anyway, I haven't used it once since I reinstalled my computer on the new drive since pretty much all my torrenting is done on my web servers now since its much faster. And I'm positive my infection didn't come from any torrent as all I download lately are movies and anime. Is that all this "fix" did, remove Vuze? Because if it was I could have done that with the uninstall button :P
As far as computer performance. No noticeable difference from previous fix.
Anyway, the log....
ComboFix 10-04-26.02 - thewird 04/26/2010 13:58:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2636 [GMT -4:00]
Running from: c:\documents and settings\thewird\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\thewird\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\tasks\Intel_C_CVPO9510015U160AGN.job"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\thewird\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\thewird\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\program files\Vuze
c:\program files\Vuze\.install4j\_shfoldr.dll
c:\program files\Vuze\.install4j\autoUninstall.0
c:\program files\Vuze\.install4j\files.log
c:\program files\Vuze\.install4j\i4j_extf_0_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_1_5p83tu.properties
c:\program files\Vuze\.install4j\i4j_extf_10_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_11_5p83tu.properties
c:\program files\Vuze\.install4j\i4j_extf_12_5p83tu_1q2vg51.png
c:\program files\Vuze\.install4j\i4j_extf_13_5p83tu_1rjd818.png
c:\program files\Vuze\.install4j\i4j_extf_14_5p83tu_qin5kk.png
c:\program files\Vuze\.install4j\i4j_extf_15_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_16_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_17_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_18_5p83tu_xza4ha.png
c:\program files\Vuze\.install4j\i4j_extf_19_5p83tu_19c5po3.png
c:\program files\Vuze\.install4j\i4j_extf_2_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_20_5p83tu.html
c:\program files\Vuze\.install4j\i4j_extf_21_5p83tu_2zcusy.png
c:\program files\Vuze\.install4j\i4j_extf_22_5p83tu.html
c:\program files\Vuze\.install4j\i4j_extf_23_5p83tu_rz1c2y.png
c:\program files\Vuze\.install4j\i4j_extf_24_5p83tu_bm8amj.ico
c:\program files\Vuze\.install4j\i4j_extf_25_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_26_5p83tu.DLL
c:\program files\Vuze\.install4j\i4j_extf_27_5p83tu.exe
c:\program files\Vuze\.install4j\i4j_extf_28_5p83tu.dll
c:\program files\Vuze\.install4j\i4j_extf_29_5p83tu.dll
c:\program files\Vuze\.install4j\i4j_extf_3_5p83tu.properties
c:\program files\Vuze\.install4j\i4j_extf_30_5p83tu_117nkgl.png
c:\program files\Vuze\.install4j\i4j_extf_31_5p83tu_1eannr4.png
c:\program files\Vuze\.install4j\i4j_extf_32_5p83tu_1efhqvy.png
c:\program files\Vuze\.install4j\i4j_extf_33_5p83tu_10qu06u.png
c:\program files\Vuze\.install4j\i4j_extf_34_5p83tu.html
c:\program files\Vuze\.install4j\i4j_extf_35_5p83tu_z1x7tn.png
c:\program files\Vuze\.install4j\i4j_extf_4_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_5_5p83tu.properties
c:\program files\Vuze\.install4j\i4j_extf_6_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_7_5p83tu.properties
c:\program files\Vuze\.install4j\i4j_extf_8_5p83tu.utf8
c:\program files\Vuze\.install4j\i4j_extf_9_5p83tu.properties
c:\program files\Vuze\.install4j\i4jdel.exe
c:\program files\Vuze\.install4j\i4jinst.dll
c:\program files\Vuze\.install4j\i4jparams.conf
c:\program files\Vuze\.install4j\i4jruntime.jar
c:\program files\Vuze\.install4j\inst_jre.cfg
c:\program files\Vuze\.install4j\install.prop
c:\program files\Vuze\.install4j\installation.log
c:\program files\Vuze\.install4j\MessagesDefault
c:\program files\Vuze\.install4j\response.varfile
c:\program files\Vuze\.install4j\unicows.dll
c:\program files\Vuze\.install4j\user.jar
c:\program files\Vuze\aereg.dll
c:\program files\Vuze\Azureus.exe
c:\program files\Vuze\Azureus.exe.manifest
c:\program files\Vuze\Azureus.exe.vmoptions
c:\program files\Vuze\Azureus.properties
c:\program files\Vuze\Azureus2.jar
c:\program files\Vuze\AzureusUpdater.exe
c:\program files\Vuze\GPL.txt
c:\program files\Vuze\installer.log
c:\program files\Vuze\plugins\azemp\azemp_2.2.2.jar
c:\program files\Vuze\plugins\azemp\azureus.sig
c:\program files\Vuze\plugins\azemp\cp1250-a.raw
c:\program files\Vuze\plugins\azemp\cp1250-b.raw
c:\program files\Vuze\plugins\azemp\font.desc
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw
c:\program files\Vuze\plugins\azemp\plugin.properties
c:\program files\Vuze\plugins\azitunes\azitunes_0.2.3.jar
c:\program files\Vuze\plugins\azitunes\azureus.sig
c:\program files\Vuze\plugins\azitunes\jacob-1.14.3-x86.dll
c:\program files\Vuze\plugins\azitunes\jacob_1.14.3.jar
c:\program files\Vuze\plugins\azitunes\libProcessAccess.dll
c:\program files\Vuze\plugins\azitunes\libProcessAccess_0.1.2.jar
c:\program files\Vuze\plugins\azitunes\plugin.properties
c:\program files\Vuze\plugins\azplugins\azplugins_2.1.6.jar
c:\program files\Vuze\plugins\azrating\azrating_1.3.1.jar
c:\program files\Vuze\plugins\azupdater\azupdaterpatcher_1.8.15.jar
c:\program files\Vuze\plugins\azupdater\azureus.sig
c:\program files\Vuze\plugins\azupdater\plugin.properties
c:\program files\Vuze\plugins\azupdater\Updater.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.23.jar
c:\program files\Vuze\plugins\azupnpav\azureus.sig
c:\program files\Vuze\plugins\azupnpav\plugin.properties
c:\program files\Vuze\swt.jar
c:\program files\Vuze\uninstall.exe
c:\program files\Vuze\Vuze.ico
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.
2010-04-25 19:02 . 2010-04-25 19:02 -------- d-----w- c:\program files\ERUNT
2010-04-25 06:05 . 2010-04-25 06:05 -------- d-----w- C:\rsit
2010-04-23 21:14 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 21:12 . 2010-04-23 21:12 -------- d-----w- c:\program files\Windows Defender
2010-04-23 20:59 . 2010-04-23 20:59 -------- d-----w- c:\program files\Alwil Software
2010-04-23 20:59 . 2010-04-23 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-23 20:54 . 2010-04-23 20:54 503808 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\msvcp71.dll
2010-04-23 20:54 . 2010-04-23 20:54 499712 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\jmc.dll
2010-04-23 20:54 . 2010-04-23 20:54 348160 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-697adea1-n\msvcr71.dll
2010-04-23 20:54 . 2010-04-23 20:54 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 20:54 . 2010-04-23 20:54 61440 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42356531-n\decora-sse.dll
2010-04-23 20:54 . 2010-04-23 20:54 12800 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42356531-n\decora-d3d.dll
2010-04-23 20:53 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-23 16:57 . 2010-04-23 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-23 16:57 . 2010-04-23 18:17 -------- d-----w- c:\documents and settings\thewird\Application Data\SUPERAntiSpyware.com
2010-04-23 16:57 . 2010-04-23 18:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-23 16:41 . 2010-04-23 16:52 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-22 13:03 . 2010-04-22 13:03 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-22 13:02 . 2010-04-22 13:02 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-22 00:44 . 2010-04-22 00:44 -------- d-----w- c:\documents and settings\thewird\Local Settings\Application Data\Threat Expert
2010-04-21 23:31 . 2010-04-21 23:31 -------- d-----w- c:\documents and settings\thewird\Application Data\Malwarebytes
2010-04-21 23:31 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 23:30 . 2010-04-21 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 23:30 . 2010-04-21 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-21 23:30 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 23:20 . 2010-04-22 17:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-21 16:12 . 2010-04-25 06:05 -------- d-----w- c:\program files\Trend Micro
2010-04-21 16:12 . 2010-04-21 16:12 388096 ----a-r- c:\documents and settings\thewird\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-21 16:07 . 2010-04-21 16:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-21 14:58 . 2010-04-23 07:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-21 14:58 . 2010-04-21 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-21 01:01 . 2010-04-21 01:01 -------- d-----w- C:\spoolerlogs
2010-04-21 00:47 . 2010-04-21 00:47 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-21 00:47 . 2010-04-21 00:47 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-20 04:23 . 2010-04-20 04:23 -------- d-----w- c:\program files\Gameforge4D
2010-04-20 04:23 . 2004-05-10 16:14 118272 ----a-w- c:\windows\system32\SX5363S.DLL
2010-04-20 04:23 . 2004-05-10 16:14 102400 ----a-w- c:\windows\system32\RV32RTP.dll
2010-04-19 22:33 . 2010-04-19 22:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-19 13:35 . 2010-04-21 00:47 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-19 13:32 . 2010-04-19 13:32 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-04-19 13:31 . 2010-04-19 13:31 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-19 13:29 . 2010-04-21 00:46 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-14 23:36 . 2010-04-14 23:37 -------- d-----w- c:\program files\RDM+
2010-04-09 18:14 . 2010-04-09 18:14 -------- d-----w- c:\windows\Performance
2010-04-09 18:14 . 2010-04-09 18:14 -------- d-----w- c:\documents and settings\thewird\Local Settings\Application Data\Microsoft Corporation
2010-04-08 13:30 . 2010-04-08 13:30 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-02 12:08 . 2010-04-02 12:08 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-02 12:08 . 2010-04-02 12:08 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-02 12:08 . 2010-04-02 12:08 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-02 12:08 . 2010-04-02 12:08 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-02 12:08 . 2010-04-02 12:08 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-02 12:08 . 2010-04-02 12:08 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-02 12:08 . 2010-04-02 12:08 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-02 12:08 . 2010-04-02 12:08 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-02 12:08 . 2010-04-02 12:08 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-02 12:08 . 2010-04-02 12:08 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-02 12:08 . 2010-04-02 12:08 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-30 07:29 . 2010-04-21 00:46 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-03-30 07:29 . 2010-04-21 00:46 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-30 07:29 . 2010-03-06 13:20 500400 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe
2010-03-30 07:29 . 2010-03-30 07:29 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 -------- d-----w- c:\documents and settings\thewird\Application Data\DivX
2010-03-30 07:29 . 2010-03-30 07:29 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-30 07:29 . 2010-03-30 07:29 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-30 07:26 . 2010-04-21 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 01:53 . 2010-03-05 21:42 -------- d-----w- c:\program files\Warcraft III
2010-04-25 19:23 . 2010-03-05 22:08 -------- d-----w- c:\program files\Trillian
2010-04-25 08:17 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-04-25 05:33 . 2010-03-05 21:25 89917 ----a-w- c:\windows\system32\nvModes.dat
2010-04-23 21:54 . 2010-03-06 02:49 -------- d-----w- c:\documents and settings\thewird\Application Data\Xfire
2010-04-23 20:53 . 2010-03-06 11:54 -------- d-----w- c:\program files\Java
2010-04-23 20:47 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-23 18:17 . 2010-03-05 21:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 06:02 . 2010-03-05 23:16 -------- d-----w- c:\documents and settings\thewird\Application Data\TeraCopy
2010-04-23 00:42 . 2010-03-06 12:04 -------- d-----w- c:\program files\DivX
2010-04-22 20:28 . 2010-03-06 02:49 -------- d-----w- c:\program files\Xfire
2010-04-22 13:03 . 2010-03-08 13:05 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 20:29 . 2010-03-05 21:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-21 14:18 . 2010-03-08 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-20 06:37 . 2010-03-12 16:52 -------- d-----w- c:\documents and settings\thewird\Application Data\vlc
2010-04-13 12:40 . 2009-10-27 10:36 181096 ----a-w- c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\FlashGot.exe
2010-04-13 04:47 . 2010-03-06 14:18 1477 ----a-w- c:\windows\system32\secushr.dat
2010-03-31 01:58 . 2010-03-10 17:29 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-03-31 01:58 . 2010-03-10 17:29 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-03-31 01:58 . 2010-03-10 17:29 44944 ----a-w- c:\windows\system32\drivers\PxHelp20.sys
2010-03-31 01:58 . 2010-03-10 17:29 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2010-03-10 17:29 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2010-03-10 17:29 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-30 07:29 . 2010-03-06 13:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-26 03:17 . 2010-03-26 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-26 01:30 . 2010-03-26 01:30 -------- d-----w- c:\documents and settings\thewird\Application Data\Mael
2010-03-26 01:21 . 2010-03-26 01:21 -------- d-----w- c:\program files\HxD
2010-03-23 23:54 . 2010-03-12 16:52 -------- d-----w- c:\documents and settings\thewird\Application Data\dvdcss
2010-03-23 19:25 . 2010-03-05 21:27 72800 ----a-w- c:\documents and settings\thewird\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 19:24 . 2010-03-23 19:24 -------- d-----w- c:\program files\Common Files\L&H
2010-03-23 19:23 . 2010-03-23 19:23 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-23 19:23 . 2010-03-23 19:23 -------- d-----w- c:\program files\Microsoft Works
2010-03-23 19:21 . 2010-03-23 19:21 -------- d-----w- c:\program files\Microsoft.NET
2010-03-23 07:02 . 2010-03-06 21:39 -------- d-----w- c:\program files\PokerStars
2010-03-19 11:38 . 2010-03-19 11:35 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-19 06:07 . 2010-03-19 06:07 -------- d-----w- c:\program files\WIDCOMM
2010-03-19 04:46 . 2010-03-05 22:23 -------- d-----w- c:\program files\Creative
2010-03-19 04:46 . 2010-03-05 22:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-19 04:30 . 2010-03-19 04:30 -------- d-----w- c:\documents and settings\thewird\Application Data\Creative
2010-03-19 04:09 . 2010-03-19 04:09 -------- d-----w- c:\program files\SigmaTel
2010-03-19 04:02 . 2010-03-19 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative Labs
2010-03-19 04:01 . 2010-03-19 04:01 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-03-18 10:19 . 2010-03-18 00:52 256 ----a-w- c:\windows\system32\pool.bin
2010-03-18 07:34 . 2010-03-06 14:25 -------- d-----w- c:\program files\Steam
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\documents and settings\thewird\Application Data\Research In Motion
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-03-18 00:52 . 2010-03-18 00:52 -------- d-----w- c:\program files\Research In Motion
2010-03-15 04:38 . 2010-03-15 04:37 -------- d-----w- c:\program files\BulletProof FTP Client 2009
2010-03-14 23:56 . 2010-03-14 22:28 -------- d-----w- c:\documents and settings\thewird\Application Data\Azureus
2010-03-14 22:28 . 2010-03-14 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-03-14 18:00 . 2010-03-19 11:35 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-12 16:50 . 2010-03-12 16:50 -------- d-----w- c:\program files\VideoLAN
2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Elaborate Bytes
2010-03-12 16:26 . 2010-03-12 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2010-03-12 16:25 . 2010-03-12 16:25 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-12 16:25 . 2010-03-12 16:25 -------- d-----w- c:\program files\SlySoft
2010-03-12 02:13 . 2010-03-12 02:13 -------- d-----w- c:\documents and settings\thewird\Application Data\XenSource
2010-03-11 20:36 . 2010-03-05 21:46 77606 ----a-w- c:\windows\War3Unin.dat
2010-03-10 18:04 . 2010-03-10 18:02 -------- d-----w- c:\documents and settings\thewird\Application Data\Canon
2010-03-10 17:36 . 2010-03-10 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-10 17:35 . 2010-03-10 17:35 -------- d-----w- c:\program files\2BrightSparks
2010-03-10 17:31 . 2010-03-07 17:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-10 17:31 . 2010-03-10 17:31 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-10 17:11 . 2010-03-10 17:11 -------- d-----w- c:\program files\PowerISO
2010-03-10 16:47 . 2010-03-10 16:15 -------- d-----w- c:\documents and settings\thewird\Application Data\DAEMON Tools Lite
2010-03-10 16:45 . 2010-03-10 16:16 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-10 16:16 . 2010-03-10 16:16 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-10 16:15 . 2010-03-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-03-10 16:08 . 2010-03-10 16:06 -------- d-----w- c:\program files\FC Edit Universal
2010-03-10 16:06 . 2010-03-10 16:04 249856 ------w- c:\windows\Setup1.exe
2010-03-10 16:06 . 2010-03-10 16:04 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 04:38 . 2010-03-06 01:16 -------- d-----w- c:\documents and settings\thewird\Application Data\Ventrilo
2010-03-08 13:05 . 2010-03-08 13:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-08 13:05 . 2010-03-08 13:05 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-08 13:05 . 2010-03-08 13:05 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-08 13:05 . 2010-03-08 13:05 -------- d-----w- c:\program files\AVG
2010-03-07 11:09 . 2010-03-07 11:09 -------- d-----w- c:\program files\TightVNC
2010-03-06 14:17 . 2010-03-06 14:17 -------- d-----w- c:\documents and settings\thewird\Application Data\FlashGet
2010-03-06 13:06 . 2010-03-06 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-06 12:56 . 2010-03-06 12:56 152576 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-06 12:56 . 2010-03-06 12:56 79488 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-06 11:54 . 2010-03-06 11:54 152576 ----a-w- c:\documents and settings\thewird\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-06 10:51 . 2010-03-06 10:51 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-06 10:28 . 2010-03-05 22:24 -------- d-----w- c:\program files\Intel
2010-03-06 03:17 . 2010-03-06 03:16 -------- d-----w- c:\documents and settings\thewird\Application Data\WhatPulse
2010-03-06 03:17 . 2010-03-06 03:16 -------- d-----w- c:\program files\WhatPulse
2010-03-06 03:12 . 2010-03-06 03:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2010-03-06 03:09 . 2010-03-06 03:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-03-06 01:16 . 2010-03-06 01:16 -------- d-----w- c:\program files\Ventrilo
2010-03-06 00:26 . 2007-08-11 00:57 -------- d-----w- c:\program files\XenSource
2010-03-05 23:16 . 2010-03-05 23:16 -------- d-----w- c:\program files\TeraCopy
2010-03-05 22:39 . 2010-03-05 22:06 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-05 22:29 . 2010-03-05 22:29 -------- d-----w- c:\program files\I8kfanGUI
2010-03-05 22:26 . 2010-03-05 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-03-05 22:26 . 2010-03-05 22:23 -------- d-----w- c:\program files\Dell
2010-03-05 22:25 . 2010-03-05 22:25 -------- d-----w- c:\program files\DIFX
2010-03-05 22:23 . 2010-03-05 22:23 -------- d-----w- c:\documents and settings\thewird\Application Data\InstallShield
2010-03-05 22:21 . 2010-03-05 22:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-25_19.19.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-25 19:23 . 2010-04-25 19:23 16384 c:\windows\Temp\Perflib_Perfdata_a48.dat
- 2004-08-04 10:00 . 2010-04-25 18:35 71462 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-04-25 19:28 71462 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-04-25 19:28 441692 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-04-25 18:35 441692 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2008-04-13 19:20 361344 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-04-08 2814976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" [2009-01-30 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-01-04 1355181]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
c:\documents and settings\thewird\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-2-10 1930592]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-4-16 3438992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-08 13:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RDM+]
2009-05-29 11:30 61440 ----a-w- c:\program files\RDM+\notify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Documents and Settings\\thewird\\Desktop\\gproxyplusplus_ptr_windows_1.0\\gproxy.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\program files\Gameforge4D\AirRivals_EN\Launcher.atm"= c:\program files\Gameforge4D\AirRivals_EN\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals_EN\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\WINDOWS\\system32\\spoolsv.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2010 9:05 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2010 9:05 AM 242896]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [3/5/2010 6:29 PM 14464]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/8/2010 9:05 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/8/2010 9:05 AM 308064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [5/29/2009 7:31 AM 31896]
S0 tmucil;tmucil; [x]
S3 RDMPLocalService;RDM+ Local Service;c:\program files\RDM+\rdmpserv.exe [3/22/2010 2:19 AM 813568]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/10/2010 12:16 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-04-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
Trusted Zone: live.com\onecare
FF - ProfilePath - c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&p=
FF - component: c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashgetXpi.dll
FF - plugin: c:\documents and settings\thewird\Application Data\Mozilla\Firefox\Profiles\5fonlhdr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-8461-7759-5462-8226 - c:\program files\Vuze\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 14:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\program files\RDM+\notify.dll
.
Completion time: 2010-04-26 14:01:10
ComboFix-quarantined-files.txt 2010-04-26 18:01
ComboFix2.txt 2010-04-25 19:20
Pre-Run: 69,173,956,608 bytes free
Post-Run: 69,133,176,832 bytes free
- - End Of File - - C20B7B2C9F6C384FE19055C0D0308B3B
Hi thewird.
Was it really necessary to remove my Vuze?
If you recall i asked you to remove Vuze in my post Here (http://forums.spybot.info/showpost.php?p=368902&postcount=4) as it is forum policy to remove all P2P software.
We don't ask you to remove such for no reason, P2P applications are one of the main causes of spreading infections and spam.
And I'm positive my infection didn't come from any torrent as all I download lately are movies and anime.
I disagree totally this is most likely how you get infected, and if you continue to use P2P applications you could get infected again.
All we can do is advise you of the dangers of using P2P applications, if you chose to ignore that advice thats you're choice.
Is that all this "fix" did, remove Vuze?
No what that fix also did was replace an infected driver file that had become corrupted by the TDL3 rootkit infection that you had.
With that said we need to get another scan to see if we got everything.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Next.
Disable AVG9
Open AVG User Interface.
Double-click on the Resident Shield.
Un-tick the option Resident Shield active.
Save the changes.
Note: Don't forget to re-enable it after the below scan.
Next.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to the Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan. * This will take a while. Please be patient *.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
This online tutorial (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif) will help explain how to use the aforementioned online scan.
Logs/Information to Post in your Next Reply
Kaspersky log.
Please give me an update on your computers performance.
I'll say it again, the cause of the virus/rootkit was from the ads on ninjavideo.net or throneit.com and not from and p2p usage. I understand that there are a lot of shared things specifically for the intent of an infection but not what I download. And I understand a lot of users requesting your help, got infections from them. If just because of that possibility of downloading something malicious warrents the ban of p2p software according to you, then the same must be said for the internet as a whole as all infections originate from the internet. I should just unplug my ethernet cable right now and super glue my drives, USB ports, and SD slot so it can never be infected, and don't forget the floppy drive! Now I can use my PC without worry, but wait, now its useless, great. Basically, that is thinking backwards in my opinion. What I'd like to know is how I was infected without ever using internet explorer, never clicking yes to anything, and having AVG running which detected the virus but did not stop it. I just loaded the page and boom.
Anyway, continuing...
I've started to look at what I've been posting. You can pretty much ignore anything from BACKUP as I did a full backup of my old drive and copied it to this new one when I installed Windows on it. Although the Java "infections" have me wondering. It has one on my new drive as well.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 26, 2010 19:33:50
Records in database: 3982782
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 207837
Threats found: 9
Infected objects found: 10
Suspicious objects found: 1
Scan duration: 03:55:23
File name / Threat / Threats count
C:\BACKUP\Documents and Settings\thewird\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-27c862f1 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\BACKUP\Documents and Settings\thewird\Application Data\Sun\Java\Deployment\cache\6.0\57\76699b39-11afd1c5 Infected: Trojan-Downloader.Java.Agent.au 1
C:\BACKUP\Documents and Settings\thewird\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-3b36ef1e Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\BACKUP\Documents and Settings\thewird\Desktop\mikesx4911\HELP.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\BACKUP\Documents and Settings\thewird\Desktop\mikesx4911\test.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\BACKUP\Documents and Settings\thewird\Desktop\VirtualDubMod_1_5_10_1_All_inclusive\plugins\warpsharp.vdf Infected: not-a-virus:FraudTool.Win32.InternetSecurity2010.bw 1
C:\BACKUP\Documents and Settings\thewird\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\thewird\Application Data\Sun\Java\Deployment\cache\6.0\10\77c1fd0a-21338315 Infected: Exploit.Java.Agent.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{11C412CE-C0D1-4EEC-B786-F684F8727C5A}\RP21\A0008965.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\System Volume Information\_restore{11C412CE-C0D1-4EEC-B786-F684F8727C5A}\RP21\A0008965.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
Selected area has been scanned.
Hi thewird.
We can argue all day about how infections are spread but the easiest way to avoid getting infected is to practice safe surfing habits :)
I can give you some advice on just that once we are done..
You can pretty much ignore anything from BACKUP as I did a full backup of my old drive and copied it to this new one when I installed Windows on it. Although the Java "infections" have me wondering. It has one on my new drive as well.
Fair enough, we can clear you're java cache and reset system restore that will take care of what the Kaspersky scan found.
How is you're PC performing any more problems before i give you final instructions?
Clear Java cache
Click on Start > Control Panel > Classic view then double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button.
There are two options in the window to clear the cache - Leave BOTH Checked.
Applications and Applets
Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
Done. Computer seemed fine/fixed after the first combofix run. One thing I did notice today though was when I tried to ping one of my servers with cmd but when the window opens it only shows the copyright part but nothing after that.
thewird
I did notice another thing yesterday.
http://img51.imageshack.us/i/69986782.jpg/
Not sure how your fixes changed firefox but basically that page is cut now and I have to scroll. I have verified its not a site problem by using internet explorer on this laptop and firefox on my other laptop.
thewird
Hi thewird.
The fixes didn't make any changes to firefox.
Try resetting firefox and let me know if that solves the problem.
Reset FireFox:
Click on Start >> Run...
Enter the following command:
firefox.exe -safe-mode
In the open window, select Reset all preferences to default Firefox.
Click on Make the changes and restart.
After FireFox restarts click on Check for Updates...
That might be from a Java update. I just realized I updated my Java yesterday so don't worry about that. What about my CMD?
thewird
Hi thewird.
The problems you are still experiencing are not coming from malware as all of your latest logs have come back clean.
When I am faced with this type of problem I go to these sites below. I have asked for help there myself and they have always been able to solve my problems.
Tech support guy (http://forums.techguy.org/)
Windows (http://forums.techguy.org/49-operating-systems/) - problems with operating systems and windows problems.
All other software (http://forums.techguy.org/18-all-other-software/) - problems with all other software.
And
What the tech (http://forums.whatthetech.com/forums.html)
Windows (http://forums.whatthetech.com/Microsoft_Windows_f119.html) - problems with operating systems and windows problems.
All other software (http://forums.whatthetech.com/Other_software_f124.html) - problems with all other software.
So as I said above your logs are clean, I hope you can resolve your other problem with the links that I provided.
This is my general post for when your logs show no more signs of malware.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Time for some housekeeping
Click on Start >> Run...
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/CF-Uninstall.png
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
Next.
OTC
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.
Here are some free programs I recommend that could help you improve your computer's security.
Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here (http://www.siteadvisor.com/)
Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE (http://www.winpatrol.com/)
MVPS Hosts
Install MVPS Hosts File From Here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE (http://www.mvps.org/winhelp2002/hosts2.htm)
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer
You can do that HERE (http://www.update.microsoft.com)
Read some information HERE (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) On how to prevent Malware
Is your pc running slow?
Read What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)
I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Safe surfing!
After running OTC, the command prompt started working again. Thanks a lot for your help in removing this infection.
thewird
You're most welcome thewird.
Good luck :)
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)