14 replies to this topic

[Gigabeef]

I can see there have been a few people on here asking about this already. Same old story - started as a different infection and everything was removed by MBAM and Avira, except uacinit.dll which MBAM says needs to be removed by rebooting. I reboot and MBAM quarantines it, but a new copy is still in my system32 folder.

Usually my MBAM log would say "-> delete on reboot" at the end, but last time my whole PC froze up so I just told it to cancel this time and give me the log.


MBAM log:


Malwarebytes' Anti-Malware 1.36
Database version: 2175
Windows 5.1.2600 Service Pack 3

24/05/2009 22:02:31
mbam-log-2009-05-24 (22-02-30).txt

Scan type: Quick Scan
Objects scanned: 87322
Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.



HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54:50, on 24/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\iTunesHelper.exe
E:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
C:\program files\valve\steam\steam.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Launchy\Launchy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 12028 bytes

[Bio-Hazard]

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for this issue on this machine.
  
• I f you don't know or understand something please don't hesitate to ask.
  
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
  
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  
• Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!




Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

• You must download it to and run it from your Desktop
  
• ComboFix SHOULD NOT be used unless requested by a forum helper.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  
• Double click on ComboFix.exe and follow the prompts.
  
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
• Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.


Next Reply

Please reply with:

• ComboFix log (found at C:\Combofix.txt)
  
• New HijackThis log

[Gigabeef]

Hi, thanks for the input! I have done as you asked.

ComboFix log:

ComboFix 09-05-26.02 - Jon 27/05/2009 1:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3103 [GMT 1:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACyxdtaoehvdeatvb.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACaidfjdooinujyoc.dll
c:\windows\system32\UACclvneoygutqmewy.dll
c:\windows\system32\UACeljoejtvkhasbai.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjlcbitxwkcrdexo.dll
c:\windows\system32\UACmgrmyddwqcjsgln.dat
c:\windows\system32\UACqkkyajbaaluxbjr.log
c:\windows\system32\UACrkdmloynavdhsph.dll
c:\windows\system32\UACttuetnpxmlsjecg.dll
c:\windows\system32\UACyeqynvavipfbkhu.log
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w c:\documents and settings\Jon\Local Settings\Application Data\vdownloader
2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w e:\program files\VDOWNLOADER
2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w e:\program files\Avira
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w e:\program files\Trend Micro
2009-05-19 13:55 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 13:54 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\documents and settings\Jon\Application Data\Malwarebytes
2009-05-19 10:25 . 2009-05-19 13:55 -------- d-----w e:\program files\Malwarebytes' Anti-Malware
2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 08:17 . 2009-05-12 08:34 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 08:17 . 2009-05-12 08:34 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 08:17 . 2009-05-12 08:34 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 08:17 . 2009-05-12 08:34 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 08:17 . 2009-05-12 08:34 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 08:17 . 2009-05-12 08:34 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 08:17 . 2009-05-12 08:34 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 08:17 . 2009-05-12 08:34 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 08:17 . 2009-05-12 08:34 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w e:\program files\Graph
2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w e:\program files\Spybot - Search & Destroy
2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w e:\program files\Panda Security
2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w e:\program files\SUPERAntiSpyware
2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2009-05-17 16:49 . 2009-05-12 08:34 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-17 16:49 . 2009-05-12 08:34 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 00:25 . 2009-03-27 16:45 -------- d-----w c:\documents and settings\Jon\Application Data\nView_Wallpaper
2009-05-27 00:04 . 2008-01-24 23:07 -------- d-s---w e:\program files\Xfire
2009-05-26 23:57 . 2007-03-07 22:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-26 23:37 . 2007-03-07 21:03 -------- d-----w c:\documents and settings\Jon\Application Data\Xfire
2009-05-26 21:16 . 2007-10-17 13:30 64 ----a-w c:\windows\popcinfot.dat
2009-05-26 19:34 . 2007-03-12 21:15 10254 ----a-w c:\windows\system32\Fxxplfnt.tmp
2009-05-26 16:04 . 2008-05-15 07:22 -------- d-----w e:\program files\Diablo II
2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w e:\program files\Cain
2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 08:34 . 2008-05-05 11:35 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-12 08:34 . 2008-05-05 11:35 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-12 08:34 . 2007-03-07 22:52 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-12 08:34 . 2008-05-05 11:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w c:\windows\system32\nvModes.dat
2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w c:\documents and settings\Jon\Application Data\uTorrent
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll
2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w e:\program files\NDSROM Player
2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w e:\program files\InstallShield Installation Information
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-10 21:12 . 2007-03-09 20:11 -------- d-----w c:\program files\Common Files\Adobe
2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w e:\program files\Adobe Media Player
2009-04-10 21:07 . 2009-04-10 21:07 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w c:\documents and settings\Jon\Application Data\Launchy
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w e:\program files\Launchy
2009-03-31 18:30 . 2007-07-22 15:31 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w c:\documents and settings\Jon\jagex_runescape_preferences.dat
2009-03-29 12:19 . 2007-03-07 22:35 -------- d-----w c:\documents and settings\Jon\Application Data\Skype
2009-03-28 13:35 . 2009-03-28 13:35 -------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2009-03-28 12:48 . 2009-03-28 12:48 -------- d-----w e:\program files\OpenAL
2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w c:\windows\system32\wrap_oal.dll
2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w c:\windows\system32\OpenAL32.dll
2009-03-28 12:33 . 2009-03-28 12:33 -------- d-----w e:\program files\Codemasters
2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w c:\windows\mickey32.dll
2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w c:\windows\Matrix Code.scr
2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w c:\windows\Matrix Code.exe
2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 16:44 . 2007-09-30 22:16 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-03 00:18 . 2006-06-23 11:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w e:\program files\MSSetup.exe
2008-10-01 17:57 . 2008-10-01 17:57 289576 ----a-w e:\program files\iTunesHelper.exe
2008-10-01 17:57 . 2008-10-01 17:57 283136 ----a-w e:\program files\iTunesOutlookAddIn.dll
2008-10-01 17:57 . 2008-10-01 17:57 172544 ----a-w e:\program files\iTunesPhotoSupport.dll
2008-10-01 17:57 . 2008-10-01 17:57 132392 ----a-w e:\program files\iTunesMiniPlayer.dll
2008-10-01 17:57 . 2008-10-01 17:57 108328 ----a-w e:\program files\iTunesAdmin.dll
2008-10-01 17:57 . 2008-10-01 17:57 14258472 ----a-w e:\program files\iTunes.exe
2008-10-01 17:57 . 2008-10-01 17:57 111912 ----a-w e:\program files\ITDetector.ocx
2008-10-01 17:57 . 2008-10-01 17:57 643072 ----a-w e:\program files\iPodUpdaterExt.dll
2008-10-01 17:57 . 2008-10-01 17:57 438272 ----a-w e:\program files\CDDBControlApple.dll
2008-10-01 17:56 . 2008-10-01 17:56 8356 ----a-w e:\program files\Acknowledgements.rtf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-12 1947928]
"iTunesHelper"="e:\program files\iTunesHelper.exe" [2008-10-01 289576]
"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-12 08:34 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk
backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"e:\\Programs\\utorrent.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\iTunes.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/05/2008 12:35 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/05/2008 12:35 108552]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 15:03 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 15:03 298776]
R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]
S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dll
FF - plugin: e:\program files\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 01:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,
be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,
45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\
"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
e:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(240)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
e:\program files\Cisco Systems\VPN Client\cvpnd.exe
e:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
e:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
e:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
e:\program files\Razer\Copperhead\razertra.exe
e:\program files\Razer\Copperhead\razerofa.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-27 1:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 00:28

Pre-Run: 14,909,480,960 bytes free
Post-Run: 15,217,524,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

380 --- E O F --- 2009-05-16 01:00


New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:30:35, on 27/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\iTunesHelper.exe
E:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
C:\program files\valve\steam\steam.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 11364 bytes

[Bio-Hazard]

P2P Warning!

uTorrent

I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them:

• Click Start
  
• Go to Control Panel
  
• Go to Add/Remove Programs
  
• Find and click Remove for the following (if present):
  
  uTorrent

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them, you MUST NOT use them until your computer is clean.


Remove one of your Anti Virus programs.

You are operating multiple Anti Virus programs on your computer:

Avira and AVG8

It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.



Remove HijackThis entries

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  
  
  
• Close all open windows and browsers/email etc...
  
• Click on the Fix Checked button
  
• When completed close the application.

OTM

Download OTM by Old Timer and save it to your Desktop.

• Double-click OTM.exe to run it.
  
• Copy the lines in the codebox below.

:Processes
explorer.exe
:Files
c:\windows\system32\Fxxplfnt.tmp
:Commands
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• OTM may ask to reboot the machine. Please do so if asked.
  
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
  
• Close OTM

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    
  • Archives
• Click on My Computer under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  
• Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

• OTM Log
  
• Kaspersky Log
  
• A fresh HijackThis Log ( after all the above has been done)
  
• A description of how your computer is behaving

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post reopened at user request.

[Gigabeef]

Ok sorry I took a while, but the Kapersky scan took about 10 hours and as soon as I was too impatient something happened to stop it, so I had to find time to get 10 hours straight. I removed AVG (as it has been totally useless in this whole thing) and I'm not even able to use any p2p software at all at University, so that isn't an issue.

I can't see any symptoms of any infection whatsoever though.

Kapersky seems to have flagged all sorts of things though.

Thanks! (oh and btw, what does OTM actually do?)


OTM log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\Fxxplfnt.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_704.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTM by OldTimer - Version 2.1.0.0 log created on 05292009_015153

Files moved on Reboot...
File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N not found!
File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV not found!
C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp moved successfully.
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm moved successfully.
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_704.dat not found!

Registry entries deleted on Reboot...


Kapersky Log:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 01, 2009 19:14:19
Records in database: 2292339
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 353173
Threat name 17
Infected objects 36
Suspicious objects 0
Duration of the scan 10:27:03

File name Threat name Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254697.sys Infected: Trojan.Win32.Agent.chly 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254698.dll Infected: Trojan.Win32.TDSS.acbv 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254699.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254700.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254701.dll Infected: Packed.Win32.Tdss.f 1
C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254702.dll Infected: Packed.Win32.Tdss.f 1
D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
D:\Jon's PC\Monsterkill\Installers\Legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1
D:\Jon's PC\Monsterkill\Installers\Legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1
D:\Jon's PC\Monsterkill\Installers\Legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1
D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack 3.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Program Files\Legion\Legion.exe Infected: not-a-virus:NetTool.Win32.Legion.21 1
E:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.s 1
E:\Programs\legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1
E:\Programs\legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1
E:\Programs\legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1
E:\Programs\legion\NetTools.ex_ Infected: Trojan-PSW.Win32.Spion.c 1
E:\Programs\legion.zip Infected: Trojan-PSW.Win32.Spion.c 1
E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.a 1
E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.d 1
E:\Programs\legion.zip Infected: not-a-virus:NetTool.Win32.Legion.21 1
E:\Programs\melgibs.rar Infected: Trojan-Banker.Win32.Banker.afwk 1
E:\Programs\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
E:\Programs\Nero.zip Infected: Trojan.Win32.Agent.abek 1
E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
E:\usb_multiboot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1
The selected area was scanned.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:30, on 02/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Program Files\iTunesHelper.exe
E:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Razer\Copperhead\razertra.exe
E:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 10982 bytes

[Bio-Hazard]

Hello!

Sorry for the delay.

Quote

(oh and btw, what does OTM actually do?)

We use it tp remove malware entries ir entries that are not needed.


Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

• If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  
• Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  
• Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  
• Click on Mode > Advanced Mode. When it prompts you, click Yes.
  
• On the left hand side, click on Tools.
  
• Check this box if it is not yet ticked: Resident.
  
• You will notice that Resident is now added under Tools. Click on Resident.
  
• Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  
• Exit Spybot Search & Destroy.
  
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

OTM

• Double-click OTM.exe to run it.
  
• Copy the lines in the codebox below.

:Processes
explorer.exe

:Files
D:\Jon's PC\Monsterkill\Installers\Legion
D:\Program Files\Legion
E:\Programs\legion
E:\Programs\legion.zip
E:\Programs\melgibs.rar
E:\Programs\Nero.zip

:Commands
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• OTM may ask to reboot the machine. Please do so if asked.
  
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
  
• Close OTM

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

• OTM log
  
• A fresh HijackThis Log ( after all the above has been done)
  
• A description of how your computer is behaving

[Gigabeef]

For some reason, OTM won't run. It starts a process at 50% CPU but never actually gets anywhere. I re-downloaded a fresh copy and tried renaming it but neither of those worked.

[Bio-Hazard]

Hello!

If you still have Combofix on your computer, delete that version and download a new version from here:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

Please run it and post a log for me to see.

[Gigabeef]

Here it is:

ComboFix 09-06-04.04 - Jon 04/06/2009 21:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3028 [GMT 1:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration
2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe
2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll
2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe
2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll
2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll
2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe
2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll
2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll
2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM
2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader
2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro
2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph
2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security
2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware
2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire
2009-06-04 20:31 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper
2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 20:08 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II
2009-06-04 18:15 . 2009-05-29 19:15 10254 ----a-w- c:\windows\system32\Fxxplfnt.tmp
2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat
2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx
2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf
2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire
2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain
2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat
2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player
2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player
2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy
2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat
2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll
2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr
2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat
+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat
+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys
+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys
+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys
- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll
+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll
- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe
+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe
+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll
+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll
+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll
+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe
+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe
+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll
+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]
"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk
backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"e:\\Programs\\utorrent.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"e:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]
R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]
S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\windows\system32\DNAML\npdbplug.dll
FF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dll
FF - plugin: e:\program files\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 21:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,
be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,
45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\
"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)
e:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-06-04 21:44
ComboFix-quarantined-files.txt 2009-06-04 20:44
ComboFix2.txt 2009-05-27 00:28

Pre-Run: 15,497,240,576 bytes free
Post-Run: 15,598,944,256 bytes free

319 --- E O F --- 2009-05-16 01:00

[Bio-Hazard]

Run CFScript

• Close any open browsers.
  
• Open Notepad by click start
  
• Click Run
  
• Type notepad into the box and click enter
  
• Notepad will open
  
• Copy and Paste everything from the Code box into Notepad:

File::
c:\windows\system32\Fxxplfnt.tmp
E:\Programs\legion.zip
E:\Programs\melgibs.rar
E:\Programs\Nero.zip

Folder::
D:\Jon's PC\Monsterkill\Installers\Legion
D:\Program Files\Legion
E:\Programs\legion

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

• ComboFix log (found at C:\Combofix.txt)
  
• New HijackThis log
  
• A description of how your computer is behaving

[Gigabeef]

There aren't any real problems with my computer in general. There are a few small things - I left it on overnight and in the morning each time I right clicked to bring up the menu, the buttons wouldn't appear until I had moved over the options with the mouse cursor.

Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).

Apart from that there is no loss in functionality and everything is running totally as normal.


Combofix log:

ComboFix 09-06-04.04 - Jon 05/06/2009 10:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3008 [GMT 1:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\Fxxplfnt.tmp"
"e:\programs\legion.zip"
"e:\programs\melgibs.rar"
"e:\programs\Nero.zip"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Fxxplfnt.tmp
d:\jon's pc\Monsterkill\Installers\Legion
d:\jon's pc\Monsterkill\Installers\Legion\APIGID32.DL_
d:\jon's pc\Monsterkill\Installers\Legion\AsycFilt.dl_
d:\jon's pc\Monsterkill\Installers\Legion\BruteForce.ex_
d:\jon's pc\Monsterkill\Installers\Legion\Chrono.dl_
d:\jon's pc\Monsterkill\Installers\Legion\ComCat.dl_
d:\jon's pc\Monsterkill\Installers\Legion\COMCTL32.OC_
d:\jon's pc\Monsterkill\Installers\Legion\COMDLG32.OC_
d:\jon's pc\Monsterkill\Installers\Legion\Ctl3d32.dl_
d:\jon's pc\Monsterkill\Installers\Legion\Legion.ex_
d:\jon's pc\Monsterkill\Installers\Legion\MSVBVM50.dl_
d:\jon's pc\Monsterkill\Installers\Legion\OleAut32.dl_
d:\jon's pc\Monsterkill\Installers\Legion\OlePro32.dl_
d:\jon's pc\Monsterkill\Installers\Legion\README.tx_
d:\jon's pc\Monsterkill\Installers\Legion\scandll2.dl_
d:\jon's pc\Monsterkill\Installers\Legion\SETUP.EXE
d:\jon's pc\Monsterkill\Installers\Legion\SETUP.LST
d:\jon's pc\Monsterkill\Installers\Legion\setup1.ex_
d:\jon's pc\Monsterkill\Installers\Legion\ST5UNST.EX_
d:\jon's pc\Monsterkill\Installers\Legion\StdOle2.tl_
d:\jon's pc\Monsterkill\Installers\Legion\VB5StKit.dl_
d:\program files\Legion
d:\program files\Legion\APIGID32.DLL
d:\program files\Legion\Legion.exe
d:\program files\Legion\README.txt
d:\program files\Legion\scandll2.dll
d:\program files\Legion\ST5UNST.LOG
e:\programs\legion
e:\programs\legion.zip
e:\programs\legion\APIGID32.DL_
e:\programs\legion\AsycFilt.dl_
e:\programs\legion\BruteForce.ex_
e:\programs\legion\Chrono.dl_
e:\programs\legion\ComCat.dl_
e:\programs\legion\COMCTL32.OC_
e:\programs\legion\COMDLG32.OC_
e:\programs\legion\Ctl3d32.dl_
e:\programs\legion\Legion.ex_
e:\programs\legion\MSVBVM50.dl_
e:\programs\legion\NetTools.ex_
e:\programs\legion\OleAut32.dl_
e:\programs\legion\OlePro32.dl_
e:\programs\legion\README.tx_
e:\programs\legion\scandll2.dl_
e:\programs\legion\SETUP.EXE
e:\programs\legion\SETUP.LST
e:\programs\legion\setup1.ex_
e:\programs\legion\ST5UNST.EX_
e:\programs\legion\StdOle2.tl_
e:\programs\legion\VB5StKit.dl_
e:\programs\melgibs.rar
e:\programs\Nero.zip

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 08:52 . 2009-06-05 08:52 -------- d-----w- e:\program files\Safer Networking
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration
2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe
2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll
2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe
2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll
2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll
2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe
2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll
2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll
2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM
2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader
2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro
2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph
2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security
2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware
2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 09:34 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain
2009-06-05 00:38 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper
2009-06-04 23:12 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II
2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire
2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple
2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat
2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx
2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf
2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire
2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat
2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent
2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player
2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player
2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy
2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy
2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat
2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll
2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr
2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat
+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat
+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys
+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys
+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys
- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll
+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll
- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe
+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe
+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll
+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll
+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll
+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe
+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe
+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll
+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]
"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]
path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk
backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"e:\\Programs\\utorrent.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"e:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]
R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]
S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WUSB54GCSVC
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,
be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,
45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\
"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)
e:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-05 11:02
ComboFix-quarantined-files.txt 2009-06-05 10:02
ComboFix2.txt 2009-06-04 20:44
ComboFix3.txt 2009-05-27 00:28

Pre-Run: 15,478,140,928 bytes free
Post-Run: 15,407,984,640 bytes free

359 --- E O F --- 2009-05-16 01:00


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:51, on 05/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 10115 bytes

[Bio-Hazard]

Quote

Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).

Are they running fine now?

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)

Please advise if this step is missed for any reason as it performs some important actions.


OTC

Download OTC by Old Timer and save it to your Desktop.

[list]

• Double-click OTC.exe
  
• Click the CleanUp! button
  
• Select Yes when the Begin cleanup Process? Prompt appears
  
• If you are prompted to Reboot during the cleanup, select Yes
  
• The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

You can now re-enable XXXXXXXXXXXXX

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

• Make sure that you keep your antivirus updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  
  
• Security Updates for Windows, Internet Explorer & Microsoft Office
  Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
  NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  
  
• Update Non-Microsoft Programs
  Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.
  
  
• Make Internet Explorer More Secure
  You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  
  
• SpywareBlaster
  SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  
  
• Malwarebytes' Anti-Malware
  Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
  
  
• Hosts File
  For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  
  
• Use an alternative Internet Browser
  Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera

Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

[Gigabeef]

Yep I've read all this stuff and installed extra things that you mentioned. I'm glad you specifically pointed out the extremely outdated IE, seen as I never use it except for the IE only sites!

Everything is like it should be, and ComboFix only temporarily disabled those things I mentioned before so it seems

Many thanks for all the help!