Win32.agent.adb and others...

**torreattack** · 2012-10-23, 20:08

Hi pikpik:

The log is empty, I'm sorry. I tried to run the scan again, but it keeps saying that it can't download the update, and that I need to configure the proxy?

If you did not use proxy, you don't need to configure it.
Try again if you can, but if not, just ignore it. We will try another tool.

H:/ is the external hard drive and D:/ is an older hard drive. I think D:/ is the one that's causing most the problems, although H is set up to backup D automatically, so they might be connected.

1. Is that possible to remove the "old man" temporary until we close this thread? I need to verify whether the "crash" was caused by malware or hardware.

MBAM kept crashing midway through the scan.

2. Correct me if I am wrong, you really mean "crash" and not "blue screen" right? Which files is causing the "crash"? Is that file located in the "old man"?

Done, although when I opened the program it said I didn't have a hosts file period, if that makes a difference? So when I told it to restore to the MS default it created one, I think.

3. ComboFix
Please download

ComboFix.exe... ?Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
Alternate download sites: Mirror #2 or Mirror #3

If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

This program is a powerful tool, intended by its creator, to be "used under the guidance and supervision of trained malware removers".
Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
Double click the ComboFix.exe icon on your desktop to begin execution. If you receive the "Open File - Security Warning"... press Run.
Press Yes to the Disclaimer prompt.
ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
If not already installed... Press Yes to the "Install Recovery Console" prompt.
Press Yes at the Recovery Console installation results prompt... Even if unsuccessful, have ComboFix continue the scan.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings... this is normal, so don't worry. They will be restored when finished. The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

thanks,
torreattack

**Pikpik** · 2012-10-24, 03:36

I unplugged the external drive and after a restart and a few tries got the ESET scanner to run. Here's the log:

ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9258fdba14c30c48be70f8ed5daf0075
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-23 04:45:39
# local_time=2012-10-23 09:45:39 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1792 16777191 100 0 124286 124286 0 0
# compatibility_mode=6912 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=724536
# found=16
# cleaned=0
# scan_time=12073
C:\AOL30\Download\Programs\cdbxp_setup_4.4.1.3341.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\Install_AIM.exe Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\Nero-7.10.1.0_eng_update.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\SkipScreen-Setup.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\SkipScreen-Setup_a.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\VirtumundoBeGone.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\AOL30\Download\Programs\zlsSetup_70_470_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Documents\C\AOL30\Download\Programs\Install_AIM.exe Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Documents\C\AOL30\Download\Programs\VirtumundoBeGone.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Documents\C\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Documents\C\VundoFix Backups\jmppo.bak1.bad Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Documents\C\VundoFix Backups\jmppo.ini.bad Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\May-maynot want to reinstall\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
C:\Temp\zlsSetup_70_462_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
C:\Temp\zlsSetup_70_483_000_en.exe a variant of Win32/AdInstaller application (unable to clean) 00000000000000000000000000000000 I
C:\To Reinstall\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I

1. I think I can pull it out... I can give it a try.

2. Yeah, the program itself crashed, not the computer, which is a bit of a relief. It happened pretty fast, but I noticed it did it multiple times in the middle of the C:\Windows\Fonts folder. I was doing a quickscan, so I don't think it would have looked in D at all...

3. I'll give ComboFix a try and report back!

**torreattack** · 2012-10-26, 07:26

Hi pikpik:

1. I am still waiting for your combofix report.

2. By the way, according to the Eset report,
a. Do you still want to keep those software and it installer?
b. Do you create these folders?

C:\Documents and Settings\All Users\Documents\C\AOL30\Download\Programs\
C:\Documents and Settings\All Users\Documents\C\VundoFix Backups\
C:\Program Files\May-maynot want to reinstall\AIM\Sysfiles\
C:\To Reinstall\AIM\Sysfiles\

3. Can you re-run the MalwareByte's antimalware in Full Scan?

4. Please give me an update of your computer's problem.

thanks,
torreattack

**Pikpik** · 2012-10-27, 04:15

Ah sorry, here is the Combofix report. I was a little nervous to run it given how unstable my computer's been running scans lately, but I think it ran okay. I was a little startled when it restarted the computer but I guess it's supposed to do that?

ComboFix 12-10-26.05 - Zarla 10/26/2012 11:27:16.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2632 [GMT -7:00]
Running from: c:\documents and settings\Zarla\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Zarla\WINDOWS
c:\windows\Fonts\Pokemon Unown GB.fon
c:\windows\system32\PowerToyReadme.htm
.
.
((((((((((((((((((((((((( Files Created from 2012-09-26 to 2012-10-26 )))))))))))))))))))))))))))))))
.
.
2012-10-22 21:37 . 2011-03-21 23:27 708760 ----a-w- c:\windows\system32\drivers\SandBox.sys
2012-10-22 21:37 . 2011-02-03 00:04 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2012-10-22 21:37 . 2010-09-27 22:40 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2012-10-22 21:37 . 2010-04-20 23:05 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2012-10-22 21:36 . 2012-10-26 17:01 -------- d-----w- c:\windows\system32\Filt
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\program files\Agnitum
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\documents and settings\Zarla\Application Data\Agnitum
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2012-10-22 05:22 . 2012-09-25 06:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-21 15:54 . 2012-10-21 15:54 -------- d-----w- c:\program files\ESET
2012-10-21 15:22 . 2012-10-21 15:22 -------- d-----w- C:\_OTL
2012-10-15 00:14 . 2012-10-15 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2012-10-15 00:10 . 2012-10-15 00:10 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ATI
2012-10-15 00:10 . 2012-10-15 00:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2012-10-14 16:21 . 2001-08-17 20:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2012-10-14 16:21 . 2001-08-17 19:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2012-10-14 16:21 . 2001-08-17 19:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2012-10-14 16:21 . 2001-08-17 19:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2012-10-14 16:21 . 2008-04-14 07:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2012-10-14 16:21 . 2001-08-17 19:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-10-14 16:21 . 2001-08-18 05:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2012-10-14 16:21 . 2001-08-17 19:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2012-10-14 16:18 . 2001-08-17 20:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2012-10-14 16:18 . 2008-04-14 07:24 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2012-10-14 16:18 . 2001-08-17 20:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2012-10-14 16:18 . 2001-08-17 19:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2012-10-14 16:18 . 2001-08-17 19:20 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2012-10-14 16:18 . 2001-08-17 19:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-10-14 16:18 . 2008-04-14 05:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2012-10-14 16:18 . 2001-08-17 19:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2012-10-14 16:18 . 2001-08-17 19:50 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2012-10-14 16:18 . 2001-08-18 05:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2012-10-14 16:16 . 2001-08-17 19:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2012-10-14 16:16 . 2008-04-14 07:11 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2012-10-14 16:16 . 2001-08-17 21:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2012-10-14 16:16 . 2001-08-18 05:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2012-10-14 16:16 . 2001-08-17 20:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2012-10-14 16:16 . 2001-08-17 19:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2012-10-14 16:16 . 2001-08-17 20:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2012-10-14 16:14 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2012-10-14 16:13 . 2001-08-17 20:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2012-10-14 16:12 . 2001-08-17 19:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2012-10-14 16:11 . 2001-08-17 19:10 55999 -c--a-w- c:\windows\system32\dllcache\el556nd5.sys
2012-10-14 16:10 . 2001-08-18 05:36 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2012-10-14 16:09 . 2001-08-17 20:52 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys
2012-10-14 15:46 . 2012-03-06 17:27 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2012-10-13 08:29 . 2012-10-13 08:29 -------- d-----w- C:\1da8f621714b45561fd86f83fdc1
2012-10-13 02:57 . 2012-10-13 02:57 -------- d-----w- c:\program files\ASIO4ALL v2
2012-10-11 20:49 . 2012-10-11 21:30 -------- d-----w- c:\documents and settings\Zarla\Application Data\MeldaProduction
2012-10-11 10:56 . 2012-10-11 10:56 -------- d-----w- c:\documents and settings\Zarla\Application Data\Avira
2012-10-11 10:53 . 2012-10-02 00:14 134184 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-11 10:53 . 2012-09-24 16:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-11 10:53 . 2012-09-13 17:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-11 10:52 . 2012-10-11 10:52 -------- d-----w- c:\program files\Avira
2012-10-11 10:52 . 2012-10-11 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-10 05:30 . 2012-10-21 15:22 -------- d-----w- c:\documents and settings\Administrator
2012-10-07 22:11 . 2012-10-07 22:11 -------- d-----w- c:\documents and settings\Zarla\Application Data\CoCo Systems
2012-10-07 22:06 . 2012-10-07 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\CoCo Systems
2012-10-07 22:06 . 2012-10-07 22:06 -------- d-----w- c:\program files\CoCo Systems
2012-10-06 11:50 . 2012-10-06 11:50 -------- d-----w- c:\documents and settings\Zarla\Local Settings\Application Data\SourceTec
2012-10-06 11:50 . 2012-10-06 11:50 -------- d-----w- c:\program files\Common Files\SourceTec
2012-10-06 11:50 . 2012-10-06 11:50 -------- d-----w- c:\program files\SourceTec
2012-10-06 11:23 . 2012-10-13 08:48 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-01 04:09 . 2012-10-01 04:09 -------- d-----w- c:\program files\ERUNT
2012-09-30 16:22 . 2012-10-26 18:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\WTablet
2012-09-30 07:03 . 2012-09-30 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-09-30 07:03 . 2012-09-30 07:03 -------- d-----w- c:\program files\AVAST Software
2012-09-29 16:10 . 2012-09-29 16:10 -------- d-----w- c:\documents and settings\Zarla\Local Settings\Application Data\PCHealth
2012-09-29 13:15 . 2012-09-29 13:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ServiceTest
2012-09-29 13:10 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-09-29 07:55 . 2012-09-29 07:55 -------- d-----w- c:\documents and settings\Zarla\Application Data\Malwarebytes
2012-09-29 07:54 . 2012-09-29 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-09-29 07:54 . 2012-09-30 02:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-29 07:54 . 2012-10-22 21:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-29 03:19 . 2012-10-13 08:48 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-26 18:39 . 2012-10-26 18:39 1409 ----a-w- c:\windows\QTFont.for
2012-09-01 21:07 . 2012-08-05 01:37 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 21:07 . 2012-08-05 01:37 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-20 04:43 . 2012-08-20 04:43 588 ----a-w- c:\windows\uninstallstickies.bat
2012-08-14 17:11 . 2012-08-14 17:11 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-03-31 02:01 468128 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2012-08-05 1353080]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"RTHDCPL"="RTHDCPL.EXE" [2011-12-05 20065384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-08-14 155648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-09-25 386336]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-28 98304]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-04-04 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-03-31 517056]
.
c:\documents and settings\Zarla\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2012-8-14 106496]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2012-8-19 1122304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2012-8-16 1073152]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\auditorium\\Auditorium.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the binding of isaac\\Isaac.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\cogs\\cogs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the sims 3\\Game\\Bin\\Sims3Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the sims 3\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [3/9/2010 12:58 AM 188984]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/14/2012 10:11 AM 685816]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/11/2012 3:53 AM 36552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/22/2012 2:37 PM 708760]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/22/2012 2:37 PM 2072592]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2012 3:53 AM 84256]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/14/2012 9:30 AM 1373480]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/22/2012 2:37 PM 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/22/2012 2:37 PM 267624]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [8/18/2012 4:44 AM 472644]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/16/2012 5:35 AM 11520]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/4/2012 4:17 PM 1691480]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [10/22/2012 2:37 PM 70160]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/13/2012 11:12 PM 103040]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [10/22/2012 2:37 PM 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [10/22/2012 2:37 PM 34096]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1202660629-839522115-1003Core.job
- c:\documents and settings\Zarla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 23:29]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1202660629-839522115-1003UA.job
- c:\documents and settings\Zarla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 23:29]
.
.
------- Supplementary Scan -------
.
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2012-09-17 23:04; thumbnailZoom@dadler.github.com; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\thumbnailZoom@dadler.github.com
FF - ExtSQL: 2012-09-29 06:55; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - ExtSQL: 2012-09-30 09:58; {46868735-c3fa-47ce-8ce7-cce51a66aceb}; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}.xpi
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-26 11:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(228)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2248)
c:\windows\system32\WININET.dll
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\Last.fm\LastFM.exe
.
**************************************************************************
.
Completion time: 2012-10-26 11:44:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-26 18:42
.
Pre-Run: 605,858,693,120 bytes free
Post-Run: 607,019,470,848 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - C76A500E20AC71DE598F5EF909B626CD

2a. I guess they're not important? They don't seem too important.
2b. Yeah I created all of those. The Vundofix ones however were from an older computer that once got infected with a virus - I copied a lot of files over from the old one to the new one and I might have just copied those without thinking about it.

3. I'll try re-running MalwareBytes.

4. I haven't hit any bluescreens lately, but the computers been kind of freezing a lot. Everything on the screen will freeze in place, but I'll still be able to move the mouse and hear music playing from a music player. No matter what I click on though nothing happens, so I have to restart.
Another weird problem was when I closed Chrome last night, and a window with no text and a red X appeared, but I couldn't tell what error it was trying to tell me. When I clicked what I assumed was the okay button to make it go away, all the text on the computer seemed to disappear, then when I tried to restart it freaked out again. That hasn't happened again since the first time though, I'm not sure what that was.

I did order a new hard drive for the older drive, so when that comes I'll try and replace it. I'm going to be out of town for the next couple days, but I'll try to check in until I get back.

**torreattack** · 2012-10-28, 06:12

Hi pikpik:

1. I assume you know about the Eset report, as the report showed, some of the installer are having adware with them, just make sure you did not install them (like ask toolbar). My suggest is, if you did not need those software, the best thing is remove them.

2. Don't worry about the software that I ask you to use to scan, we use them at many forums. However, If you found problem or bug regarding them, just let me know, I will keep an eye on them.

3. The freeze problems might not caused by malware, as most of the tools showed that you are cleaned, but I might be wrong. Let's see what MBAM found.

4. You firefox is outdated, please update it.

5. Thanks for let me know, I will keep this thread open. As for me, I will not online during 2-4 November, I will make a visit to tropical rain forest.

6. Do you have other issue?

thanks,
torreattack

**torreattack** · 2012-11-04, 01:14

Hi pikpik:

Still need time?

torreattack

**Pikpik** · 2012-11-04, 01:28

I'm sorry, I just got back! I took out the old drive and replaced it with a new one, it's still transferring files over. So far the computer hasn't hung or crashed, but I haven't been using it for very long, so I guess we'll have to see... I hope replacing the drive fixes the problem.

I tried to run MBAM while the drive was out and with the new drive in, but both times it always crashes in the Windows Font folder...

I've tried to update Firefox a few times, but when I uninstall it and run the installer for the new version, it'll go through the process but then won't actually open the browser. It just says it encountered an error and crashes over and over. This happened both with just moving up to 4.0 and moving up to 12.0 too, so I don't know what's happening there...

Firefox itself in general is still crashing a lot, and when I look in the event viewer for the computer, each crash goes with a warning saying its reached its tcp/ip security limit. I'm not sure what's causing that.

**torreattack** · 2012-11-05, 18:33

Hi pikpik:

1. I have no idea why MBAM crashed in Windows Font folder. Does this happen to other software while they are scanning that folder?

2. I am not very familiar with Firefox, if you still want to use it, you may ask your question at firefox forum.

3. ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Code:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

4. Policy Notification

P2P Warning!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitLord
Please note whenever you use any form of P2P networking to download files you can anticipate infestations of malware to occur.
P2P file sharing used to be fairly safe. This is no longer true...continue to use P2P sharing ...at your own risk! Keep in mind that this practice may be the source of your current malware infestation.

I strongly recommend that you uninstall:
BitLord

You can do so using the Control Panel >> Add or Remove Programs function...however, that choice is up to you.
Please read: http://forums.spybot.info/showthread.php?t=282

5. Please give me an update regarding your computer

thanks,
torreattack

**Pikpik** · 2012-11-06, 11:06

1. Not that I'm aware of... Spybot seems to scan it okay. I haven't tried scanning it with Outpost or Avira yet.

2. Last night Firefox crashed and now refuses to open completely, even when I uninstalled/reinstalled it. I'm not sure what's going on there. I'll check out the firefox forum.

3. ComboFix log:

ComboFix 12-11-05.03 - Zarla 11/06/2012 1:47.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2567 [GMT -8:00]
Running from: c:\documents and settings\Zarla\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zarla\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
.
((((((((((((((((((((((((( Files Created from 2012-10-06 to 2012-11-06 )))))))))))))))))))))))))))))))
.
.
2012-11-05 04:03 . 2012-11-05 04:03 1409 ----a-w- c:\windows\QTFont.for
2012-11-03 20:43 . 2012-11-03 20:43 -------- d-----w- c:\documents and settings\Zarla\Application Data\Media Player Classic
2012-11-03 18:25 . 2012-11-03 18:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-22 21:37 . 2011-03-21 23:27 708760 ----a-w- c:\windows\system32\drivers\SandBox.sys
2012-10-22 21:37 . 2011-02-03 00:04 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2012-10-22 21:37 . 2010-09-27 22:40 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2012-10-22 21:37 . 2010-04-20 23:05 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2012-10-22 21:36 . 2012-11-05 18:00 -------- d-----w- c:\windows\system32\Filt
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\program files\Agnitum
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\documents and settings\Zarla\Application Data\Agnitum
2012-10-22 21:36 . 2012-10-22 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2012-10-22 05:22 . 2012-09-25 06:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-10-21 15:54 . 2012-10-21 15:54 -------- d-----w- c:\program files\ESET
2012-10-21 15:22 . 2012-10-21 15:22 -------- d-----w- C:\_OTL
2012-10-15 00:14 . 2012-10-15 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2012-10-15 00:10 . 2012-10-15 00:10 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ATI
2012-10-15 00:10 . 2012-10-15 00:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2012-10-14 16:31 . 2008-04-14 12:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-10-14 16:29 . 2001-08-17 20:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2012-10-14 16:28 . 2001-08-17 20:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2012-10-14 16:27 . 2001-08-17 21:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2012-10-14 16:26 . 2008-04-14 07:10 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2012-10-14 16:25 . 2001-07-21 21:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2012-10-14 16:24 . 2001-08-18 05:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2012-10-14 16:23 . 2001-08-17 20:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2012-10-14 16:22 . 2001-08-18 05:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2012-10-14 16:21 . 2001-08-17 20:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2012-10-14 16:21 . 2001-08-17 19:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2012-10-14 16:21 . 2001-08-17 19:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2012-10-14 16:21 . 2001-08-17 19:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2012-10-14 16:21 . 2008-04-14 07:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2012-10-14 16:21 . 2001-08-17 19:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-10-14 16:21 . 2001-08-18 05:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2012-10-14 16:21 . 2001-08-17 19:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2012-10-14 16:18 . 2001-08-17 20:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2012-10-14 16:18 . 2008-04-14 07:24 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2012-10-14 16:18 . 2001-08-17 20:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2012-10-14 16:18 . 2001-08-17 19:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2012-10-14 16:18 . 2001-08-17 19:20 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2012-10-14 16:18 . 2001-08-17 19:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-10-14 16:18 . 2008-04-14 05:05 132695 -c--a-w- c:\windows\system32\dllcache\netwlan5.sys
2012-10-14 16:18 . 2001-08-17 19:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2012-10-14 16:18 . 2001-08-17 19:50 39264 -c--a-w- c:\windows\system32\dllcache\neo20xx.sys
2012-10-14 16:18 . 2001-08-18 05:36 60480 -c--a-w- c:\windows\system32\dllcache\neo20xx.dll
2012-10-14 16:16 . 2001-08-17 19:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2012-10-14 16:16 . 2008-04-14 07:11 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2012-10-14 16:16 . 2001-08-17 21:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2012-10-14 16:16 . 2001-08-18 05:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2012-10-14 16:16 . 2001-08-17 20:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2012-10-14 16:16 . 2001-08-17 19:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2012-10-14 16:16 . 2001-08-17 20:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2012-10-14 16:14 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2012-10-14 16:13 . 2001-08-17 20:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2012-10-14 16:12 . 2001-08-17 19:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2012-10-14 16:11 . 2001-08-17 19:10 55999 -c--a-w- c:\windows\system32\dllcache\el556nd5.sys
2012-10-14 16:10 . 2001-08-18 05:36 175104 -c--a-w- c:\windows\system32\dllcache\csamsp.dll
2012-10-14 16:09 . 2001-08-17 20:52 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys
2012-10-13 08:29 . 2012-10-13 08:29 -------- d-----w- C:\1da8f621714b45561fd86f83fdc1
2012-10-13 02:57 . 2012-10-13 02:57 -------- d-----w- c:\program files\ASIO4ALL v2
2012-10-11 20:49 . 2012-10-11 21:30 -------- d-----w- c:\documents and settings\Zarla\Application Data\MeldaProduction
2012-10-11 10:56 . 2012-10-11 10:56 -------- d-----w- c:\documents and settings\Zarla\Application Data\Avira
2012-10-11 10:53 . 2012-11-04 00:00 133824 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-10-11 10:53 . 2012-09-24 16:58 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-10-11 10:53 . 2012-09-13 17:58 83792 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-10-11 10:52 . 2012-10-11 10:52 -------- d-----w- c:\program files\Avira
2012-10-11 10:52 . 2012-10-11 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-10-10 05:30 . 2012-10-21 15:22 -------- d-----w- c:\documents and settings\Administrator
2012-10-07 22:11 . 2012-10-07 22:11 -------- d-----w- c:\documents and settings\Zarla\Application Data\CoCo Systems
2012-10-07 22:06 . 2012-10-07 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\CoCo Systems
2012-10-07 22:06 . 2012-10-07 22:06 -------- d-----w- c:\program files\CoCo Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-04 04:43 . 2012-08-04 09:58 102400 ----a-w- c:\windows\DUMP5c0a.tmp
2012-10-13 08:48 . 2012-10-06 11:23 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-13 08:48 . 2012-09-29 03:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 02:54 . 2012-09-29 07:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 21:07 . 2012-08-05 01:37 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 21:07 . 2012-08-05 01:37 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-20 04:43 . 2012-08-20 04:43 588 ----a-w- c:\windows\uninstallstickies.bat
2012-08-14 17:11 . 2012-08-14 17:11 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-03-31 02:01 468128 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2012-08-05 1353080]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"RTHDCPL"="RTHDCPL.EXE" [2011-12-05 20065384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-08-14 155648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-11-03 384800]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-28 98304]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-04-04 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-03-31 517056]
.
c:\documents and settings\Zarla\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2012-8-14 106496]
Stickies.lnk - c:\program files\Stickies\stickies.exe [2012-8-19 1122304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2012-8-16 1073152]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\auditorium\\Auditorium.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the binding of isaac\\Isaac.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\cogs\\cogs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the sims 3\\Game\\Bin\\Sims3Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the sims 3\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [3/8/2010 11:58 PM 188984]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/14/2012 9:11 AM 685816]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/11/2012 2:53 AM 36552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [10/22/2012 1:37 PM 708760]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2012 2:53 AM 84256]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/14/2012 8:30 AM 1373480]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 3:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [10/22/2012 1:37 PM 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [10/22/2012 1:37 PM 267624]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [8/18/2012 3:44 AM 472644]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [8/16/2012 4:35 AM 11520]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [10/22/2012 1:37 PM 2072592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/4/2012 3:17 PM 1691480]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [10/22/2012 1:37 PM 70160]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/13/2012 10:12 PM 103040]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/3/2012 10:25 AM 40776]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [10/22/2012 1:37 PM 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [10/22/2012 1:37 PM 34096]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1202660629-839522115-1003Core.job
- c:\documents and settings\Zarla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 23:29]
.
2012-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1202660629-839522115-1003UA.job
- c:\documents and settings\Zarla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 23:29]
.
.
------- Supplementary Scan -------
.
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2012-09-17 23:04; thumbnailZoom@dadler.github.com; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\thumbnailZoom@dadler.github.com
FF - ExtSQL: 2012-09-29 06:55; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - ExtSQL: 2012-09-30 09:58; {46868735-c3fa-47ce-8ce7-cce51a66aceb}; c:\documents and settings\Zarla\Application Data\Mozilla\Firefox\Profiles\jf4tt3qn.transferringover\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}.xpi
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-06 01:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1264)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(4656)
c:\windows\system32\WININET.dll
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-11-06 01:54:46
ComboFix-quarantined-files.txt 2012-11-06 09:54
ComboFix2.txt 2012-10-26 18:44
.
Pre-Run: 605,119,959,040 bytes free
Post-Run: 605,115,465,728 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 253F48A3B0C9F641CBD07DABBEC1756D

During the process though, something called dumphives.3XE crashed twice. It seemed to complete the process okay, but I'm not sure what that means?

4. BitLord was on the old computer where I transferred all these files from, I thought I hadn't reinstalled it on this one... I'll look around.

5. I got I think two bluescreens over the past few days, but they were mostly when I was transferring my drive D backup from the external H drive to the new drive D. Once the backup finished, it seems to have calmed down a little. Windows said it was some kind of hardware issue for one.

**torreattack** · 2012-11-06, 14:03

Hi pikpik:

As I said before, your major problem might caused by hardware rather than software (malware).

As for firefox, your may try revo uninstaller to uninstall it.

As you problem seem "solved", any other issue before I post my "all clean" speech?

torreattack

Thread: Win32.agent.adb and others...

Thread Tools

Display

Posting Permissions