View Full Version : Fraud.SysGuardSuite
I recently thought I dealt with my System Guard problem, but after scanning with Spybot last week, I discovered I had two registry settings still appearing. The settings are for proxies for my internet connection. They aren't actually doing anything, but no matter how hard I try, I can't remove them.
I delete them, and then after restarting once or twice, they come back. I have used Avira Antivirus, AVG Antivirus, Rkill, Combo Fixer, Spybot, Super Anti Spyware, Adaware, Spyware Blaster, etc. Nothing seems to work. I even manually deleted them using Regedit, and deleted my system restores. Nothing will make it go away. Spybot is the only program that picks up the registry settings now. I am in college, and just do not have the time or patience to spend on trying to remove these settings. I need help, please.
As I said, I have used various programs already. I am sorry if this makes things harder. For now, MSconfig is blocking certain programs, UAC is turned on, and I reactivated System Restore and made a restore point. Feel free to tear my system apart. Just let me know what you need. Thank you.
:snwelcome:
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
XP Users
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.
Vista Users
To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Please do not delete anything unless instructed to.
We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache (http://www.java.com/en/download/help/plugin_cache.xml)
Next:
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner» (http://forums.whatthetech.com/downloads.html&req=download&code=confirm_download&id=17)
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Next:
Please download Malwarebytes' Anti-Malware (http://www.whatthetech.com/link/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://whatthetech.com/ldtate/Images/MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png
Then click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also please describe how your computer behaves at the moment.
Please don't attach the scans / logs, use "copy/paste". .
Thanks for getting back to me. Mother was in the hospital, so I didn't have time to do this. Getting on it now. Be back shortly.
Okay, did a scan with Malwarebytes, and it came up clean. Here is the log.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4602
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
9/12/2010 6:14:05 PM
mbam-log-2010-09-12 (18-14-05).txt
Scan type: Quick scan
Objects scanned: 158944
Time elapsed: 8 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
My computer seems to be running about average right now. I think with all of the programs I ran, a lot of stuff has slowed down because a lot of default settings were cleared and a lot of cache items were cleared out. I wish I had been to this website first before I ran combofixer and other stuff. I didn't realize how dangerous it was. Guess it is always better to get a second opinion immediately.
Anyways, as usual, nothing has shown up. I will do a scan of spybot and see if it pulls up the registry keys still or not. Nice thinking on the Java cleanup. I hadn't though of clearing my cache. I also used ATF Cleaner and used the Control Panel to make all files viewable. I will let you know if I find anything. Hopefully this did the trick, as I have tried a lot of other stuff already, and I am starting to lose hope. I will let you know how the scan goes.
Did a scan with Spybot, and the two Fraud.AVSecuritySuite registry files still showed up.
Twice now I have tried to copy and paste the log into here and it wouldn't work. I just realized that my log never pasted in the first post I made. Here is the latest Spybot log. Hope this helps.
Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...
Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...
Statcounter: Tracking cookie (Firefox: Moratu (default)) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: Moratu (default)) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-08-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-09-07 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-09-07 Includes\TrojansC-05.sbi (*)
2010-08-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Please download HostsXpert from the link below.
http://www.funkytoad.com/download/HostsXpert.zip
Unzip HostsXpert.zip
Open HostsXpert.exe.
you have to click: ''make hosts writable'' in the top right corner, then press the ''restore MS hosts file'' option
Close program when complete.
Empty Recycle Bin
Reboot and "copy/paste" a new SpyBot log file into this thread.
Also please describe how your computer behaves at the moment.
Here are the results for my follow up Spybot scan. All clean of those nasty registry files! First clean scan after a reboot in a very long time. Very excited. Starting to get hopeful about reclaiming my computer!
--- Report generated: 2010-09-14 00:29 ---
MediaPlex: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Moratu (default)) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-08-09 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-08-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-09-07 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-09-07 Includes\TrojansC-05.sbi (*)
2010-08-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
My computer itself is running about the same as last time. Startup seems to be a lot smoother now, which is very nice. Otherwise, about the same. Just so glad to have a clean scan! Let me know what you think.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe) If using this link, Right Click and select Save As.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have SP3, use the SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it atleast 20-30 minutes to finish if needed.
Please do not attach the scan results from Combofx. Use copy/paste.
Also please describe how your computer behaves at the moment.
My computer is running pretty smoothly. I was pretty sure I disabled Windows Defender, but the scan shows it as having been enabled. If I need to run it again with it disabled, let me know. A couple programs didn't start up that normally do, such as Rocket Dock and Windows Sidebar. I know ComboFix asks you not to start up any programs after it reboots your computer, so I assume that ComboFix is why these didn't start up. Otherwise, things are looking really good.
ComboFix 10-09-14.01 - Moratu 09/14/2010 12:53:35.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1863 [GMT -4:00]
Running from: c:\users\Moratu\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\cfcbcbaa4_g.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.
2010-09-14 17:02 . 2010-09-14 17:05 -------- d-----w- c:\users\Moratu\AppData\Local\temp
2010-09-14 17:02 . 2010-09-14 17:02 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-09-14 17:02 . 2010-09-14 17:02 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-09-14 17:02 . 2010-09-14 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-14 00:01 . 2010-09-14 00:01 -------- d-----w- c:\users\Moratu\AppData\Local\Apple
2010-09-13 02:29 . 2010-09-14 16:49 -------- d-----w- c:\users\Moratu\AppData\Local\PMB Files
2010-09-13 02:29 . 2010-09-13 02:30 -------- d-----w- c:\programdata\PMB Files
2010-09-13 02:29 . 2010-09-13 02:29 -------- d-----w- c:\program files\Pando Networks
2010-09-13 02:10 . 2010-09-13 02:10 -------- d-----w- c:\users\Moratu\AppData\Local\The Lord of the Rings Online
2010-09-13 00:06 . 2010-09-13 00:20 -------- d-----w- c:\users\Moratu\AppData\Local\Apple Computer
2010-09-13 00:01 . 2010-09-13 01:56 -------- d-----w- c:\users\Moratu\AppData\Local\Adobe
2010-09-12 22:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 22:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 22:04 . 2010-09-12 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:29 . 2010-09-05 17:29 -------- d-----w- c:\program files\Safer Networking
2010-09-03 23:48 . 2010-09-03 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 23:48 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:37 . 2010-09-03 23:37 -------- d-----w- c:\program files\iPod
2010-09-03 23:37 . 2010-09-03 23:38 -------- d-----w- c:\program files\iTunes
2010-09-03 23:32 . 2010-09-03 23:32 -------- d-----w- c:\program files\Bonjour
2010-09-03 22:00 . 2010-09-03 22:00 -------- d-----w- c:\program files\Secunia
2010-09-03 19:11 . 2010-09-03 19:11 -------- d--h--w- c:\windows\PIF
2010-09-03 19:03 . 2010-09-03 19:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-02 01:34 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-09-02 01:34 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-09-02 01:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-02 01:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-02 01:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-09-02 01:34 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-02 01:34 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-02 01:34 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-31 04:43 . 2010-08-31 04:43 -------- d-----w- c:\users\Moratu\AppData\Roaming\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\programdata\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\program files\Avira
2010-08-31 04:38 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-31 04:38 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-31 04:38 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-31 04:38 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-30 02:07 . 2010-09-12 23:41 -------- d-----w- c:\users\Moratu\Tracing
2010-08-24 03:36 . 2010-08-24 03:36 -------- d-----w- c:\program files\Atari
2010-08-24 00:40 . 2010-08-24 19:21 -------- d-----w- c:\users\Moratu\AppData\Local\The Witcher
2010-08-24 00:28 . 2010-08-24 01:59 -------- d-----w- c:\program files\The Witcher
2010-08-22 21:43 . 2010-08-22 21:45 -------- d-----w- c:\program files\Jnes
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\program files\Free Fire Screensaver
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\users\Moratu\AppData\Roaming\Laconic Software
2010-08-22 15:52 . 2010-08-22 15:52 -------- d-----w- c:\program files\RocketDock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 17:05 . 2009-12-09 06:37 37773 ----a-w- c:\programdata\nvModes.dat
2010-09-13 11:02 . 2009-11-05 16:31 -------- d-----w- c:\program files\Turbine
2010-09-13 01:08 . 2010-02-01 22:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\HpUpdate
2010-09-13 01:02 . 2008-07-13 04:01 -------- d-----w- c:\programdata\Lavasoft
2010-09-13 00:21 . 2009-01-27 07:15 -------- d-----w- c:\programdata\Apple Computer
2010-09-12 23:10 . 2007-03-15 01:52 -------- d-----w- c:\program files\Common Files\AOL
2010-09-07 18:38 . 2007-02-10 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-07 06:18 . 2010-09-05 18:19 63488 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 06:18 . 2010-09-05 18:19 117760 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-07 05:44 . 2010-06-24 01:24 -------- d-----w- c:\users\Moratu\AppData\Roaming\DisplayFusion
2010-09-05 18:26 . 2007-11-02 02:56 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 18:19 . 2010-09-05 18:19 52224 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 17:52 . 2007-03-15 01:53 -------- d-----w- c:\programdata\Viewpoint
2010-09-05 17:52 . 2007-03-15 01:53 -------- d-----w- c:\program files\Viewpoint
2010-09-05 17:24 . 2009-08-10 05:56 -------- d-----r- c:\program files\Skype
2010-09-05 17:21 . 2007-06-06 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-05 17:15 . 2007-02-10 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-05 17:11 . 2008-12-09 07:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-09-05 17:08 . 2010-02-09 23:01 -------- d-----w- c:\program files\Workspace Macro Pro 6.5
2010-09-05 17:07 . 2010-02-04 06:26 -------- d-----w- c:\programdata\ijjigame
2010-09-05 17:05 . 2007-05-21 04:09 -------- d-----w- c:\program files\RealMedia
2010-09-04 13:00 . 2009-09-11 21:44 -------- d-----w- c:\program files\City of Heroes
2010-09-03 23:48 . 2007-10-31 05:35 -------- d-----w- c:\program files\Java
2010-09-03 23:37 . 2009-01-27 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 23:35 . 2007-03-29 01:16 -------- d-----w- c:\program files\QuickTime
2010-09-03 23:31 . 2010-09-03 23:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 23:28 . 2007-03-29 01:25 -------- d-----w- c:\users\Moratu\AppData\Roaming\Apple Computer
2010-09-03 23:27 . 2008-12-09 10:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-03 23:27 . 2010-09-03 23:27 53632 ----a-w- c:\users\Moratu\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 23:27 . 2009-11-16 02:54 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 19:17 . 2007-02-10 17:20 1356 ----a-w- c:\users\Moratu\AppData\Local\d3d9caps.dat
2010-09-03 19:08 . 2008-06-18 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 19:04 . 2009-02-14 09:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 06:04 . 2008-12-11 03:31 -------- d-----w- c:\program files\SpywareBlaster
2010-09-02 02:40 . 2007-04-28 02:15 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 02:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 01:18 . 2007-01-06 01:59 35920 ----a-w- c:\windows\system32\drivers\nvstor.sys
2010-09-02 00:28 . 2010-09-02 00:28 388096 ----a-r- c:\users\Moratu\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 23:49 . 2009-04-28 05:07 -------- d-----w- c:\users\Moratu\AppData\Roaming\Skype
2010-08-31 23:48 . 2009-04-28 05:13 -------- d-----w- c:\users\Moratu\AppData\Roaming\skypePM
2010-08-31 04:30 . 2008-07-13 03:19 -------- d-----w- c:\programdata\avg8
2010-08-23 23:09 . 2008-06-18 03:43 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-23 23:09 . 2010-08-23 23:09 92280 ----a-w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-23 23:09 . 2009-01-31 06:39 -------- d-----w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab
2010-08-22 19:22 . 2008-05-12 19:37 -------- d-----w- c:\program files\Emulator
2010-08-18 20:22 . 2007-02-10 17:02 70864 ----a-w- c:\users\Moratu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-08 03:41 . 2010-08-08 03:41 -------- d-----w- c:\users\Moratu\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-08-08 03:40 . 2010-08-08 03:40 -------- d-----w- c:\program files\Picaboo X
2010-08-03 22:10 . 2010-02-10 00:49 -------- d-----w- c:\program files\Google
2010-07-31 14:35 . 2010-07-31 14:35 -------- d-----w- c:\users\Moratu\AppData\Roaming\Flickr
2010-07-31 14:34 . 2010-07-31 14:34 -------- d-----w- c:\program files\Flickr Uploadr
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\program files\Enterbrain
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-07-28 00:49 . 2009-10-29 17:56 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 01:33 . 2010-07-24 01:33 120 ----a-w- c:\users\Moratu\AppData\Local\Pfaweqixiwuhuq.dat
2010-07-22 18:24 . 2010-07-22 18:24 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-26 06:05 . 2010-09-02 01:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-02 01:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-02 01:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-02 01:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-07-08 1082088]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-13 2969496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13939816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-29 10664]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
R3 npkycryp;npkycryp;c:\nexon\MapleStory\npkycryp.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva011;XDva011;c:\windows\system32\XDva011.sys [x]
R3 XDva020;XDva020;c:\windows\system32\XDva020.sys [x]
R3 XDva136;XDva136;c:\windows\system32\XDva136.sys [x]
R3 XDva281;XDva281;c:\windows\system32\XDva281.sys [x]
R3 XDva295;XDva295;c:\windows\system32\XDva295.sys [x]
R3 XDva326;XDva326;c:\windows\system32\XDva326.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-13 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-14 c:\windows\Tasks\User_Feed_Synchronization-{47F3090E-BE59-4670-B66F-0AF53CDB1D56}.job
- c:\windows\system32\msfeedssync.exe [2010-09-02 04:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://157.238.137.246/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Moratu\AppData\Roaming\Mozilla\Firefox\Profiles\bbq685r0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.sparkpeople.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Easy Dock - (no file)
HKLM-Run-Easy Dock - (no file)
HKLM-Run-hpqSRMon - (no file)
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:2f,f6,9d,35,33,7f,45,78,66,9e,14,8a,31,d0,74,8e,f4,52,e9,b0,c4,7c,d5,
2a,a0,da,7c,72,55,78,6c,e2,6f,f7,0d,cb,a0,a5,61,bb,d5,e8,64,2a,77,24,0a,c7,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\License information*]
"datasecu"=hex:e2,48,17,61,5f,fd,77,85,69,1a,de,64,a2,2f,e4,97,8d,fd,c9,8f,85,
ee,3e,68,b9,58,34,3b,9b,8e,95,6e,40,f1,72,5e,5d,dc,ec,a4,e8,d2,4f,2c,d0,c7,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(9904)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxczcoms.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\users\Moratu\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-09-14 13:14:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-14 17:14
Pre-Run: 127,603,974,144 bytes free
Post-Run: 127,532,433,408 bytes free
- - End Of File - - 282A6CA863A73CA598FE6C76FC985138
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
Folder::
c:\programdata\Viewpoint
c:\program files\Viewpoint
Driver::
XDva011;XDva011
XDva020;XDva020
XDva136;XDva136
XDva281;XDva281
XDva295;XDva295
XDva326;XDva326
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
Scan went by much faster this time around. Computer is running exactly the same as last time. My last Spybot scan came up clean once again. So far so good.
ComboFix 10-09-14.01 - Moratu 09/14/2010 20:39:45.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1906 [GMT -4:00]
Running from: c:\users\Moratu\Desktop\ComboFix.exe
Command switches used :: c:\users\Moratu\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\programdata\Viewpoint
c:\programdata\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-15 00:47 . 2010-09-15 00:50 -------- d-----w- c:\users\Moratu\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-15 00:47 . 2010-09-15 00:47 -------- d-----w- c:\users\Application Data\AppData\Local\temp
2010-09-14 00:01 . 2010-09-14 00:01 -------- d-----w- c:\users\Moratu\AppData\Local\Apple
2010-09-13 02:29 . 2010-09-14 16:49 -------- d-----w- c:\users\Moratu\AppData\Local\PMB Files
2010-09-13 02:29 . 2010-09-13 02:30 -------- d-----w- c:\programdata\PMB Files
2010-09-13 02:29 . 2010-09-13 02:29 -------- d-----w- c:\program files\Pando Networks
2010-09-13 02:10 . 2010-09-13 02:10 -------- d-----w- c:\users\Moratu\AppData\Local\The Lord of the Rings Online
2010-09-13 00:06 . 2010-09-13 00:20 -------- d-----w- c:\users\Moratu\AppData\Local\Apple Computer
2010-09-13 00:01 . 2010-09-13 01:56 -------- d-----w- c:\users\Moratu\AppData\Local\Adobe
2010-09-12 22:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 22:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 22:04 . 2010-09-12 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:29 . 2010-09-05 17:29 -------- d-----w- c:\program files\Safer Networking
2010-09-03 23:48 . 2010-09-03 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 23:48 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:37 . 2010-09-03 23:37 -------- d-----w- c:\program files\iPod
2010-09-03 23:37 . 2010-09-03 23:38 -------- d-----w- c:\program files\iTunes
2010-09-03 23:32 . 2010-09-03 23:32 -------- d-----w- c:\program files\Bonjour
2010-09-03 22:00 . 2010-09-03 22:00 -------- d-----w- c:\program files\Secunia
2010-09-03 19:11 . 2010-09-03 19:11 -------- d--h--w- c:\windows\PIF
2010-09-03 19:03 . 2010-09-03 19:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-02 01:34 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-09-02 01:34 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-09-02 01:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-02 01:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-02 01:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-09-02 01:34 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-02 01:34 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-02 01:34 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-31 04:43 . 2010-08-31 04:43 -------- d-----w- c:\users\Moratu\AppData\Roaming\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\programdata\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\program files\Avira
2010-08-31 04:38 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-31 04:38 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-31 04:38 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-31 04:38 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-30 02:07 . 2010-09-12 23:41 -------- d-----w- c:\users\Moratu\Tracing
2010-08-24 03:36 . 2010-08-24 03:36 -------- d-----w- c:\program files\Atari
2010-08-24 00:40 . 2010-08-24 19:21 -------- d-----w- c:\users\Moratu\AppData\Local\The Witcher
2010-08-24 00:28 . 2010-08-24 01:59 -------- d-----w- c:\program files\The Witcher
2010-08-22 21:43 . 2010-08-22 21:45 -------- d-----w- c:\program files\Jnes
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\program files\Free Fire Screensaver
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\users\Moratu\AppData\Roaming\Laconic Software
2010-08-22 15:52 . 2010-08-22 15:52 -------- d-----w- c:\program files\RocketDock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 00:51 . 2009-12-09 06:37 37773 ----a-w- c:\programdata\nvModes.dat
2010-09-13 11:02 . 2009-11-05 16:31 -------- d-----w- c:\program files\Turbine
2010-09-13 01:08 . 2010-02-01 22:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\HpUpdate
2010-09-13 01:02 . 2008-07-13 04:01 -------- d-----w- c:\programdata\Lavasoft
2010-09-13 00:21 . 2009-01-27 07:15 -------- d-----w- c:\programdata\Apple Computer
2010-09-12 23:10 . 2007-03-15 01:52 -------- d-----w- c:\program files\Common Files\AOL
2010-09-07 18:38 . 2007-02-10 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-07 06:18 . 2010-09-05 18:19 63488 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 06:18 . 2010-09-05 18:19 117760 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-07 05:44 . 2010-06-24 01:24 -------- d-----w- c:\users\Moratu\AppData\Roaming\DisplayFusion
2010-09-05 18:26 . 2007-11-02 02:56 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 18:19 . 2010-09-05 18:19 52224 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 17:24 . 2009-08-10 05:56 -------- d-----r- c:\program files\Skype
2010-09-05 17:21 . 2007-06-06 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-05 17:15 . 2007-02-10 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-05 17:11 . 2008-12-09 07:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-09-05 17:08 . 2010-02-09 23:01 -------- d-----w- c:\program files\Workspace Macro Pro 6.5
2010-09-05 17:07 . 2010-02-04 06:26 -------- d-----w- c:\programdata\ijjigame
2010-09-05 17:05 . 2007-05-21 04:09 -------- d-----w- c:\program files\RealMedia
2010-09-04 13:00 . 2009-09-11 21:44 -------- d-----w- c:\program files\City of Heroes
2010-09-03 23:48 . 2007-10-31 05:35 -------- d-----w- c:\program files\Java
2010-09-03 23:37 . 2009-01-27 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 23:35 . 2007-03-29 01:16 -------- d-----w- c:\program files\QuickTime
2010-09-03 23:31 . 2010-09-03 23:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 23:28 . 2007-03-29 01:25 -------- d-----w- c:\users\Moratu\AppData\Roaming\Apple Computer
2010-09-03 23:27 . 2008-12-09 10:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-03 23:27 . 2010-09-03 23:27 53632 ----a-w- c:\users\Moratu\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 23:27 . 2009-11-16 02:54 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 19:17 . 2007-02-10 17:20 1356 ----a-w- c:\users\Moratu\AppData\Local\d3d9caps.dat
2010-09-03 19:08 . 2008-06-18 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 19:04 . 2009-02-14 09:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 06:04 . 2008-12-11 03:31 -------- d-----w- c:\program files\SpywareBlaster
2010-09-02 02:40 . 2007-04-28 02:15 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 02:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 01:18 . 2007-01-06 01:59 35920 ----a-w- c:\windows\system32\drivers\nvstor.sys
2010-09-02 00:28 . 2010-09-02 00:28 388096 ----a-r- c:\users\Moratu\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 23:49 . 2009-04-28 05:07 -------- d-----w- c:\users\Moratu\AppData\Roaming\Skype
2010-08-31 23:48 . 2009-04-28 05:13 -------- d-----w- c:\users\Moratu\AppData\Roaming\skypePM
2010-08-31 04:30 . 2008-07-13 03:19 -------- d-----w- c:\programdata\avg8
2010-08-23 23:09 . 2008-06-18 03:43 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-23 23:09 . 2010-08-23 23:09 92280 ----a-w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-23 23:09 . 2009-01-31 06:39 -------- d-----w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab
2010-08-22 19:22 . 2008-05-12 19:37 -------- d-----w- c:\program files\Emulator
2010-08-18 20:22 . 2007-02-10 17:02 70864 ----a-w- c:\users\Moratu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-08 03:41 . 2010-08-08 03:41 -------- d-----w- c:\users\Moratu\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-08-08 03:40 . 2010-08-08 03:40 -------- d-----w- c:\program files\Picaboo X
2010-08-03 22:10 . 2010-02-10 00:49 -------- d-----w- c:\program files\Google
2010-07-31 14:35 . 2010-07-31 14:35 -------- d-----w- c:\users\Moratu\AppData\Roaming\Flickr
2010-07-31 14:34 . 2010-07-31 14:34 -------- d-----w- c:\program files\Flickr Uploadr
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\program files\Enterbrain
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-07-28 00:49 . 2009-10-29 17:56 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 01:33 . 2010-07-24 01:33 120 ----a-w- c:\users\Moratu\AppData\Local\Pfaweqixiwuhuq.dat
2010-07-22 18:24 . 2010-07-22 18:24 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-26 06:05 . 2010-09-02 01:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-02 01:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-02 01:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-02 01:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-07-08 1082088]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-13 2969496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13939816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-29 10664]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
R3 npkycryp;npkycryp;c:\nexon\MapleStory\npkycryp.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva011;XDva011;c:\windows\system32\XDva011.sys [x]
R3 XDva020;XDva020;c:\windows\system32\XDva020.sys [x]
R3 XDva136;XDva136;c:\windows\system32\XDva136.sys [x]
R3 XDva281;XDva281;c:\windows\system32\XDva281.sys [x]
R3 XDva295;XDva295;c:\windows\system32\XDva295.sys [x]
R3 XDva326;XDva326;c:\windows\system32\XDva326.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-13 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-14 c:\windows\Tasks\User_Feed_Synchronization-{47F3090E-BE59-4670-B66F-0AF53CDB1D56}.job
- c:\windows\system32\msfeedssync.exe [2010-09-02 04:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://157.238.137.246/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Moratu\AppData\Roaming\Mozilla\Firefox\Profiles\bbq685r0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.sparkpeople.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:2f,f6,9d,35,33,7f,45,78,66,9e,14,8a,31,d0,74,8e,f4,52,e9,b0,c4,7c,d5,
2a,a0,da,7c,72,55,78,6c,e2,6f,f7,0d,cb,a0,a5,61,bb,d5,e8,64,2a,77,24,0a,c7,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\License information*]
"datasecu"=hex:e2,48,17,61,5f,fd,77,85,69,1a,de,64,a2,2f,e4,97,8d,fd,c9,8f,85,
ee,3e,68,b9,58,34,3b,9b,8e,95,6e,40,f1,72,5e,5d,dc,ec,a4,e8,d2,4f,2c,d0,c7,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(8852)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxczcoms.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\users\Moratu\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-09-14 20:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 00:58
ComboFix2.txt 2010-09-14 17:14
Pre-Run: 127,555,866,624 bytes free
Post-Run: 127,515,795,456 bytes free
- - End Of File - - 07BB053C83D8F769E230A241BB24172E
Sorry, I didn't do the last one correctly.
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
File::
c:\windows\system32\XDva011.sys
c:\windows\system32\XDva020.sys
c:\windows\system32\XDva136.sys
c:\windows\system32\XDva281.sys
c:\windows\system32\XDva295.sys
c:\windows\system32\XDva326.sys
Driver::
XDva011
XDva020
XDva136
XDva281
XDva295
XDva326
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
Here you go. Ran it again with the new code. Nothing has changed as far as I can tell.
ComboFix 10-09-14.05 - Moratu 09/15/2010 14:54:38.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1751 [GMT -4:00]
Running from: c:\users\Moratu\Desktop\ComboFix.exe
Command switches used :: c:\users\Moratu\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\windows\system32\XDva011.sys"
"c:\windows\system32\XDva020.sys"
"c:\windows\system32\XDva136.sys"
"c:\windows\system32\XDva281.sys"
"c:\windows\system32\XDva295.sys"
"c:\windows\system32\XDva326.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XDVA011
-------\Legacy_XDVA020
-------\Legacy_XDVA136
-------\Legacy_XDVA281
-------\Legacy_XDVA295
-------\Legacy_XDVA326
-------\Service_XDva011
-------\Service_XDva020
-------\Service_XDva136
-------\Service_XDva281
-------\Service_XDva295
-------\Service_XDva326
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.
2010-09-13 02:29 . 2010-09-13 02:30 -------- d-----w- c:\programdata\PMB Files
2010-09-13 02:29 . 2010-09-13 02:29 -------- d-----w- c:\program files\Pando Networks
2010-09-13 02:10 . 2010-09-13 02:10 -------- d-----w- c:\users\Moratu\AppData\Local\The Lord of the Rings Online
2010-09-13 00:06 . 2010-09-13 00:20 -------- d-----w- c:\users\Moratu\AppData\Local\Apple Computer
2010-09-13 00:01 . 2010-09-13 01:56 -------- d-----w- c:\users\Moratu\AppData\Local\Adobe
2010-09-12 22:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-12 22:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-12 22:04 . 2010-09-12 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com
2010-09-05 18:18 . 2010-09-05 18:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:29 . 2010-09-05 17:29 -------- d-----w- c:\program files\Safer Networking
2010-09-03 23:48 . 2010-09-03 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 23:48 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:37 . 2010-09-03 23:37 -------- d-----w- c:\program files\iPod
2010-09-03 23:37 . 2010-09-03 23:38 -------- d-----w- c:\program files\iTunes
2010-09-03 23:32 . 2010-09-03 23:32 -------- d-----w- c:\program files\Bonjour
2010-09-03 22:00 . 2010-09-03 22:00 -------- d-----w- c:\program files\Secunia
2010-09-03 19:11 . 2010-09-03 19:11 -------- d--h--w- c:\windows\PIF
2010-09-03 19:03 . 2010-09-03 19:03 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-09-02 01:34 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-09-02 01:34 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-09-02 01:34 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-09-02 01:34 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-09-02 01:34 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-09-02 01:34 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-02 01:34 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-02 01:34 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-31 04:43 . 2010-08-31 04:43 -------- d-----w- c:\users\Moratu\AppData\Roaming\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\programdata\Avira
2010-08-31 04:38 . 2010-08-31 04:38 -------- d-----w- c:\program files\Avira
2010-08-31 04:38 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-31 04:38 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-31 04:38 . 2009-05-11 16:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-31 04:38 . 2009-05-11 16:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-30 02:07 . 2010-09-12 23:41 -------- d-----w- c:\users\Moratu\Tracing
2010-08-24 03:36 . 2010-08-24 03:36 -------- d-----w- c:\program files\Atari
2010-08-24 00:40 . 2010-08-24 19:21 -------- d-----w- c:\users\Moratu\AppData\Local\The Witcher
2010-08-24 00:28 . 2010-08-24 01:59 -------- d-----w- c:\program files\The Witcher
2010-08-22 21:43 . 2010-08-22 21:45 -------- d-----w- c:\program files\Jnes
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\program files\Free Fire Screensaver
2010-08-22 16:22 . 2010-08-22 16:22 -------- d-----w- c:\users\Moratu\AppData\Roaming\Laconic Software
2010-08-22 15:52 . 2010-08-22 15:52 -------- d-----w- c:\program files\RocketDock
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 19:18 . 2009-12-09 06:37 37773 ----a-w- c:\programdata\nvModes.dat
2010-09-15 02:38 . 2010-06-24 01:24 -------- d-----w- c:\users\Moratu\AppData\Roaming\DisplayFusion
2010-09-15 02:37 . 2010-09-15 02:37 60152 ----a-w- c:\users\Moratu\AppData\Roaming\DisplayFusion\DisplayFusionHookx64_8af9d6b0-f589-47a3-9d37-b1cdccb9e6cc.dll
2010-09-15 02:37 . 2010-09-15 02:37 47864 ----a-w- c:\users\Moratu\AppData\Roaming\DisplayFusion\DisplayFusionHookx86_34ad846b-45a4-4c03-9499-3ecc532292da.dll
2010-09-15 02:37 . 2010-06-24 01:23 -------- d-----w- c:\program files\DisplayFusion
2010-09-13 11:02 . 2009-11-05 16:31 -------- d-----w- c:\program files\Turbine
2010-09-13 01:08 . 2010-02-01 22:18 -------- d-----w- c:\users\Moratu\AppData\Roaming\HpUpdate
2010-09-13 01:02 . 2008-07-13 04:01 -------- d-----w- c:\programdata\Lavasoft
2010-09-13 00:21 . 2009-01-27 07:15 -------- d-----w- c:\programdata\Apple Computer
2010-09-12 23:10 . 2007-03-15 01:52 -------- d-----w- c:\program files\Common Files\AOL
2010-09-07 18:38 . 2007-02-10 18:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-07 06:18 . 2010-09-05 18:19 63488 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 06:18 . 2010-09-05 18:19 117760 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-05 18:26 . 2007-11-02 02:56 -------- d-----w- c:\programdata\NVIDIA
2010-09-05 18:19 . 2010-09-05 18:19 52224 ----a-w- c:\users\Moratu\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 17:24 . 2009-08-10 05:56 -------- d-----r- c:\program files\Skype
2010-09-05 17:21 . 2007-06-06 01:18 -------- d-----w- c:\program files\CCleaner
2010-09-05 17:15 . 2007-02-10 18:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-05 17:11 . 2008-12-09 07:10 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-09-05 17:08 . 2010-02-09 23:01 -------- d-----w- c:\program files\Workspace Macro Pro 6.5
2010-09-05 17:07 . 2010-02-04 06:26 -------- d-----w- c:\programdata\ijjigame
2010-09-05 17:05 . 2007-05-21 04:09 -------- d-----w- c:\program files\RealMedia
2010-09-04 13:00 . 2009-09-11 21:44 -------- d-----w- c:\program files\City of Heroes
2010-09-03 23:48 . 2007-10-31 05:35 -------- d-----w- c:\program files\Java
2010-09-03 23:37 . 2009-01-27 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 23:35 . 2007-03-29 01:16 -------- d-----w- c:\program files\QuickTime
2010-09-03 23:31 . 2010-09-03 23:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 23:28 . 2007-03-29 01:25 -------- d-----w- c:\users\Moratu\AppData\Roaming\Apple Computer
2010-09-03 23:27 . 2008-12-09 10:44 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-03 23:27 . 2010-09-03 23:27 53632 ----a-w- c:\users\Moratu\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 23:27 . 2009-11-16 02:54 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-03 19:17 . 2007-02-10 17:20 1356 ----a-w- c:\users\Moratu\AppData\Local\d3d9caps.dat
2010-09-03 19:08 . 2008-06-18 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 19:04 . 2009-02-14 09:07 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-03 06:04 . 2008-12-11 03:31 -------- d-----w- c:\program files\SpywareBlaster
2010-09-02 02:40 . 2007-04-28 02:15 -------- d-----w- c:\programdata\Microsoft Help
2010-09-02 02:39 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-02 01:18 . 2007-01-06 01:59 35920 ----a-w- c:\windows\system32\drivers\nvstor.sys
2010-09-02 00:28 . 2010-09-02 00:28 388096 ----a-r- c:\users\Moratu\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 23:49 . 2009-04-28 05:07 -------- d-----w- c:\users\Moratu\AppData\Roaming\Skype
2010-08-31 23:48 . 2009-04-28 05:13 -------- d-----w- c:\users\Moratu\AppData\Roaming\skypePM
2010-08-31 04:30 . 2008-07-13 03:19 -------- d-----w- c:\programdata\avg8
2010-08-23 23:09 . 2008-06-18 03:43 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-23 23:09 . 2010-08-23 23:09 92280 ----a-w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.3.1.0A.dll
2010-08-23 23:09 . 2009-01-31 06:39 -------- d-----w- c:\users\Moratu\AppData\Roaming\SystemRequirementsLab
2010-08-22 19:22 . 2008-05-12 19:37 -------- d-----w- c:\program files\Emulator
2010-08-18 20:22 . 2007-02-10 17:02 70864 ----a-w- c:\users\Moratu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-08 03:41 . 2010-08-08 03:41 -------- d-----w- c:\users\Moratu\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
2010-08-08 03:40 . 2010-08-08 03:40 -------- d-----w- c:\program files\Picaboo X
2010-08-03 22:10 . 2010-02-10 00:49 -------- d-----w- c:\program files\Google
2010-07-31 14:35 . 2010-07-31 14:35 -------- d-----w- c:\users\Moratu\AppData\Roaming\Flickr
2010-07-31 14:34 . 2010-07-31 14:34 -------- d-----w- c:\program files\Flickr Uploadr
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:45 . 2010-07-28 15:43 1682 --sha-w- c:\programdata\KGyGaAvL.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:43 . 2010-07-28 15:43 88 --sh--r- c:\programdata\155ECBEA81.sys
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\program files\Enterbrain
2010-07-28 15:38 . 2010-07-28 15:38 -------- d-----w- c:\program files\Common Files\Enterbrain
2010-07-28 00:49 . 2009-10-29 17:56 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-24 01:33 . 2010-07-24 01:33 120 ----a-w- c:\users\Moratu\AppData\Local\Pfaweqixiwuhuq.dat
2010-07-22 18:24 . 2010-07-22 18:24 -------- d-----w- c:\program files\Common Files\Skype
2010-07-09 20:37 . 2010-07-09 20:37 1469544 ----a-w- c:\windows\system32\nvsvc.dll
2010-07-09 20:37 . 2010-07-09 20:37 13939816 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:37 . 2010-07-09 20:37 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:37 . 2010-07-09 20:37 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-26 06:05 . 2010-09-02 01:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-02 01:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-02 01:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-02 01:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-09-14 1275624]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-13 2969496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13939816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-29 10664]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-11-12 3403420]
R3 npkycryp;npkycryp;c:\nexon\MapleStory\npkycryp.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-07-13 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2008-05-19 370872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-09-15 c:\windows\Tasks\User_Feed_Synchronization-{47F3090E-BE59-4670-B66F-0AF53CDB1D56}.job
- c:\windows\system32\msfeedssync.exe [2010-09-02 04:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://157.238.137.246/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Moratu\AppData\Roaming\Mozilla\Firefox\Profiles\bbq685r0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.sparkpeople.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 15:18
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:2f,f6,9d,35,33,7f,45,78,66,9e,14,8a,31,d0,74,8e,f4,52,e9,b0,c4,7c,d5,
2a,a0,da,7c,72,55,78,6c,e2,6f,f7,0d,cb,a0,a5,61,bb,d5,e8,64,2a,77,24,0a,c7,\
"??"=hex:3f,eb,b2,a8,d5,51,4b,c2,1b,01,ec,08,0f,18,11,95
[HKEY_USERS\S-1-5-21-581195064-1276845120-4058798169-1000\Software\SecuROM\License information*]
"datasecu"=hex:e2,48,17,61,5f,fd,77,85,69,1a,de,64,a2,2f,e4,97,8d,fd,c9,8f,85,
ee,3e,68,b9,58,34,3b,9b,8e,95,6e,40,f1,72,5e,5d,dc,ec,a4,e8,d2,4f,2c,d0,c7,\
"rkeysecu"=hex:17,0c,8b,a8,75,cb,05,56,56,b0,06,85,72,9c,ba,40
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(9996)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxczcoms.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\users\Moratu\AppData\Local\TVersity\Media Server\MediaServer.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-09-15 15:23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 19:23
ComboFix2.txt 2010-09-15 00:58
ComboFix3.txt 2010-09-14 17:14
Pre-Run: 127,502,372,864 bytes free
Post-Run: 127,019,933,696 bytes free
- - End Of File - - 43FF0C402F16248F70835DB483A776CD
Good job
Click START Search
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Here's my usual all clean post
To be on the safe side, I would also change all my passwords.
This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.
Log looks good
This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Only run one Anti-Virus and Firewall program.
I would suggest you read:
PC Safety and Security--What Do I Need?. (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to Prevent Malware: (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Only run one Anti-Virus and Firewall program.
I would suggest you read:
PC Safety and Security--What Do I Need?. (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to Prevent Malware: (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Thanks so much. It is such a relief to have a clean, smooth running computer. I do have a question for you pertaining to my recovery point. The recovery point I have is from before all your wonderful help. Is it now safe to delete that and make a clean one? I feel that is the only thing I have left to do. Thanks again.
Combofix created a new Restore Point.
To remove all the older ones:
http://www.mydigitallife.info/2007/07/03/vista-reclaim-and-release-disk-space-from-system-restore-and-shadow-copies/
Wonderful. If anything changes, I will be sure to let you know. Thank you very much.