Google Redirect [Solved]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out.

Let's get started:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Cheers,
Dave

dave, its scanning now
thanks for your rapid response.
this is kind of fun...
i'm makin a start now but may have to get away from computer soon for 2 or 3 hours,
is that going to be a problem?

Yes it's no problem at all the pace of most topics is not nearly this fast, it's not a continuous process. Post me the scan log when you have time.

wow, took a while,
here it is...

GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 21:26:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAA0C5D10]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAA0C63F4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateThread [0xAA0CA9D8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xAA0C6556]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAA0C995E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAA0C9990]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAA0C64AC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAA0C5E4A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAA0C6030]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAA0C6174]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAA0C9A64]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAA0C99CE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAA0C9A00]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAA0C9A32]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAA0C5CBE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xAA0C65B6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xAA0C98FE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAA0C5C54]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xAA0C5B94]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAA0C5BEA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwWriteVirtualMemory [0xAA0CAA18]

INT 0x93 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKELL/Trusteer Ltd.) F862A430

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[636] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 0040BD60 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[636] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[636] USER32.dll!CallMsgFilterW + 21D 7E42E2D3 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[636] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[636] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71680022
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 01B41580 C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll (Rooks/Base/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 6 Bytes JMP 715A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!TranslateMessage 7E418BE6 6 Bytes JMP 714B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!GetMessageW 7E4191B6 6 Bytes JMP 7151000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!RegisterClassExW 7E41AF6F 6 Bytes JMP 02AF4A90 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!GetWindowRect 7E41B6C4 6 Bytes JMP 714E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!DdeInitializeW 7E42B7AF 6 Bytes JMP 7157000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] USER32.dll!GetClipboardData 7E430DAA 6 Bytes JMP 7154000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2064] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 715D000A
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2792] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004318A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2792] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2792] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2792] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 716E0022

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Not much showing there let's get another scan:

1. SysProt Anti-Rootkit

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to Log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Note:None of the phases of this scan should take very long, don't do anything else while the scans are running, just leave it to complete, do not worry if it doesn't appear to be doing anything - it is.

Next:

Please delete your current copy of ComboFix and then follow these instructions for downloading and running a fresh copy. I'd like to get an updated log, and it's important that you follow these instructions to the letter so that CF can do its job to the best of its ability:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Download ComboFix from one of the links at that site and save it directly to your desktop. Be sure that you read ALL of the instructions on that page very carefully and follow them exactly. Of particular importance is disabling all your protection programs before running ComboFix, if you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is also very important. By following the steps at that site closely, you give ComboFix the best chance at a successful run and minimmize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Onc the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Include the complete contents of that log in your next reply, being sure that it has not been cut off by the limit on the length of posts. Use multiple replies if you need.

Just need the logs from SysProt and ComboFix in your next reply.

Cheers,
Dave

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 788
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 812
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 856
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 868
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1020
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1104
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1144
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1284
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1368
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1656
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 408
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\agrsmsvc.exe
PID: 440
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 464
Hidden: No
Window Visible: No

Name: C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 756
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 120
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1304
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1344
Hidden: No
Window Visible: No

Name: C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PID: 1488
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.exe
PID: 1492
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 1832
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\AGRSMMSG.exe
PID: 1844
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxtray.exe
PID: 1728
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 1924
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxpers.exe
PID: 1828
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1992
Hidden: No
Window Visible: No

Name: C:\Program Files\Skype\Phone\Skype.exe
PID: 348
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 544
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgemc.exe
PID: 724
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 776
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 792
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgcsrvx.exe
PID: 1816
Hidden: No
Window Visible: No

Name: C:\DOCUME~1\User\LOCALS~1\Temp\RtkBtMnt.exe
PID: 2224
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2824
Hidden: No
Window Visible: No

Name: C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PID: 2872
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Ahead\Nero\nero.exe
PID: 504
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\User\Desktop\SysProt\SysProt.exe
PID: 3648
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\User\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A8C3C000
Module End: A8C47000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806CEA80
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806CF000
Module End: 806EF280
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8975000
Module End: F8977000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8885000
Module End: F8888000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F8346000
Module End: F8374000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8977000
Module End: F8979000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8335000
Module End: F8346000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8475000
Module End: F847E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F8889000
Module End: F888C000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F888D000
Module End: F8891000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8A3D000
Module End: F8A3E000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F86F5000
Module End: F86FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F8317000
Module End: F8335000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8485000
Module End: F8490000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F82F8000
Module End: F8317000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F8891000
Module End: F8894000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F8A3E000
Module End: F8A3F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F86FD000
Module End: F8702000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F8495000
Module End: F84A2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F82E0000
Module End: F82F8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F84A5000
Module End: F84AE000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F84B5000
Module End: F84C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F82C0000
Module End: F82E0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F82AE000
Module End: F82C0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F84C5000
Module End: F84CE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F8297000
Module End: F82AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F8284000
Module End: F8297000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F81F7000
Module End: F8284000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F81CA000
Module End: F81F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F81B0000
Module End: F81CA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\BTHidMgr.sys
Service Name: BTHidMgr
Module Base: F8705000
Module End: F870C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F84F5000
Module End: F84FE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
Service Name: ialm
Module Base: F7BEE000
Module End: F8157000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7BDA000
Module End: F7BEE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F7BB5000
Module End: F7BDA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\yk51x86.sys
Service Name: yukonwxp
Module Base: F7B7A000
Module End: F7BB5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: F7AF9000
Module End: F7B7A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F871D000
Module End: F8722000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F7AD6000
Module End: F7AF9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F872D000
Module End: F8734000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\tifm21.sys
Service Name: tifm21
Module Base: F7AAE000
Module End: F7AD6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F8505000
Module End: F8512000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F873D000
Module End: F8743000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F7A7E000
Module End: F7AAE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F897D000
Module End: F897F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F874D000
Module End: F8753000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8515000
Module End: F8520000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: pfc
Module Base: F8919000
Module End: F891C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8525000
Module End: F8532000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8535000
Module End: F8544000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F7A5B000
Module End: F7A7E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F8929000
Module End: F892D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F8931000
Module End: F8934000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\VcommMgr.sys
Service Name: VcommMgr
Module Base: F8545000
Module End: F854F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\vbtenum.sys
Service Name: BTHidEnum
Module Base: F8939000
Module End: F893C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
Service Name: BlueletAudio
Module Base: F8775000
Module End: F877A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\portcls.sys
Service Name: ---
Module Base: F7A37000
Module End: F7A5B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\drmk.sys
Service Name: ---
Module Base: F8555000
Module End: F8564000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8B09000
Module End: F8B0A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: F8981000
Module End: F8983000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F878D000
Module End: F8795000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F8565000
Module End: F8572000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F8941000
Module End: F8944000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F7A20000
Module End: F7A37000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F8575000
Module End: F8580000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F8585000
Module End: F8591000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F87AD000
Module End: F87B2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F79E7000
Module End: F79F8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F8595000
Module End: F859E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F87BD000
Module End: F87C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F87CD000
Module End: F87D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
Service Name: BT
Module Base: F8959000
Module End: F895C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VComm.sys
Service Name: VComm
Module Base: F87DD000
Module End: F87E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: Serenum
Module Base: F8961000
Module End: F8965000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F79B6000
Module End: F79E7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F85A5000
Module End: F85AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8987000
Module End: F8989000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F795D000
Module End: F79B6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F817B000
Module End: F817F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F85B5000
Module End: F85BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: AA37E000
Module End: AA7C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Service Name: AgereSoftModem
Module Base: AA262000
Module End: AA37E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F85E5000
Module End: F85F4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8993000
Module End: F8995000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F880D000
Module End: F8813000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8997000
Module End: F8999000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F899B000
Module End: F899D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F882D000
Module End: F8835000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F895D000
Module End: F8960000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: AA207000
Module End: AA21A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: AA1AE000
Module End: AA207000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: AA195000
Module End: AA1AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: AA174000
Module End: AA195000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F8605000
Module End: F860E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: AA14C000
Module End: AA174000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: AA12A000
Module End: AA14C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F8615000
Module End: F861E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: AA0FF000
Module End: AA12A000
Hidden: No

Module Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
Service Name: RapportPG
Module Base: AA0C5000
Module End: AA0FF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F8835000
Module End: F883D000
Hidden: No

Module Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
Service Name: RapportKELL
Module Base: F8625000
Module End: F8632000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: AA055000
Module End: AA0C5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\usbvideo.sys
Service Name: usbvideo
Module Base: AA041000
Module End: AA055000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F8635000
Module End: F863E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F885D000
Module End: F8863000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: A9FF2000
Module End: AA041000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ASPI32.SYS
Service Name: ASPI32
Module Base: F7891000
Module End: F7895000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F8685000
Module End: F8695000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A9FB2000
Module End: A9FCA000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F89A5000
Module End: F89A7000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F893D000
Module End: F8940000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F8755000
Module End: F875A000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8A52000
Module End: F8A53000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A9E82000
Module End: A9E86000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A9B65000
Module End: A9B7A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: A9D72000
Module End: A9D81000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A9A36000
Module End: A9A62000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A9764000
Module End: A97B6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: A95E4000
Module End: A95EE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A9158000
Module End: A9199000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8B59000
Module End: F8B5A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F881D000
Module End: F8822000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: AA0C5D10
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwCreateFile
Address: AA0C63F4
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwCreateThread
Address: AA0CA9D8
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwDeleteFile
Address: AA0C6556
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwDeleteKey
Address: AA0C995E
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwDeleteValueKey
Address: AA0C9990
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwOpenFile
Address: AA0C64AC
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwOpenProcess
Address: AA0C5E4A
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwOpenThread
Address: AA0C6030
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwProtectVirtualMemory
Address: AA0C6174
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwQueryValueKey
Address: AA0C9A64
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwRenameKey
Address: AA0C99CE
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwReplaceKey
Address: AA0C9A00
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwRestoreKey
Address: AA0C9A32
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwSetContextThread
Address: AA0C5CBE
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwSetInformationFile
Address: AA0C65B6
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwSetValueKey
Address: AA0C98FE
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwSuspendThread
Address: AA0C5C54
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwTerminateProcess
Address: AA0C5B94
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwTerminateThread
Address: AA0C5BEA
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwWriteVirtualMemory
Address: AA0CAA18
Driver Base: AA0C5000
Driver End: AA0FF000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: WIN2006:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: WIN2006:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: WIN2006:10110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgemc.exe
State: LISTENING

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4791
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4789
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4787
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4785
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4783
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4780
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4779
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4777
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4775
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4767
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4765
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4761
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4757
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4737
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4732
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4730
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4729
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4720
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4717
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4711
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4700
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4699
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4695
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4693
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4691
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4677
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4627
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4143
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: LOCALHOST:4096
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: WIN2006:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: WIN2006:4791
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4787
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4783
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4780
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4779
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4777
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4775
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4761
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4757
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4737
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4732
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4730
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4729
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4720
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4717
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4711
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4700
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4699
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4695
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4693
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4691
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4677
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4627
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4615
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:4143
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4096
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:1049
Remote Address: LOCALHOST:1048
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:1048
Remote Address: LOCALHOST:1049
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:1035
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: WIN2006:1030
Remote Address: LOCALHOST:1029
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:1029
Remote Address: LOCALHOST:1030
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: WIN2006:4792
Remote Address: CHANNEL10.01.05.SF2P.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4788
Remote Address: QW-IN-F137.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4784
Remote Address: QW-IN-F100.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4782
Remote Address: QW-IN-F99.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4781
Remote Address: QW-IN-F99.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4778
Remote Address: QW-IN-F100.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4776
Remote Address: QW-IN-F100.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4762
Remote Address: VX-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4758
Remote Address: HE-IN-F167.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4738
Remote Address: 195.78.85.234:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4734
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4733
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4731
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4722
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4718
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4712
Remote Address: A96-6-41-114.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4702
Remote Address: A96-6-41-131.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4701
Remote Address: A96-6-41-131.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4696
Remote Address: HE-IN-F165.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4694
Remote Address: OD-IN-F83.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4692
Remote Address: HE-IN-F103.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4678
Remote Address: OD-IN-F83.GOOGLE.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4628
Remote Address: API.11.07.SNC1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4616
Remote Address: OD-IN-F83.GOOGLE.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: WIN2006:4144
Remote Address: WWW.12.06.ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:4097
Remote Address: WWW.11.06.ASH1.FACEBOOK.COM:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: WIN2006:1038
Remote Address: 24.253.53.234:55106
Type: TCP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: ESTABLISHED

Local Address: WIN2006:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: WIN2006:20583
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: LISTENING

Local Address: WIN2006:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: WIN2006:HTTPS
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: LISTENING

Local Address: WIN2006:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: WIN2006:HTTP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: LISTENING

Local Address: WIN2006:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: WIN2006:1034
Remote Address: NA
Type: UDP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: NA

Local Address: WIN2006:1031
Remote Address: NA
Type: UDP
Process: C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
State: NA

Local Address: WIN2006:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: WIN2006:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: WIN2006:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: WIN2006:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: WIN2006:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: WIN2006:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: WIN2006:20583
Remote Address: NA
Type: UDP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: NA

Local Address: WIN2006:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: WIN2006:3591
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3590
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3560
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3556
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3306
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3194
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3066
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3065
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:3064
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:1601
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:1599
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:1589
Remote Address: NA
Type: UDP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: NA

Local Address: WIN2006:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: WIN2006:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: WIN2006:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: WIN2006:HTTPS
Remote Address: NA
Type: UDP
Process: C:\Program Files\Skype\Phone\Skype.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - Nina Simone At Town Hall [320vbr]\13 - NS - Black Is the Color of My True Love
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - Nina Simone At Town Hall [320vbr]\17 - Nina Simone - I Don't Want Him (Anymore
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - Nina Simone At Town Hall [320vbr]\19 - Nina Simone - Summertime [Vocal Version
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - The Amazing Nina Simone [320vbr]\02 - Nina Simone - Children Go Where I Send Y
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - The Amazing Nina Simone [320vbr]\03 - Nina Simone - Tomorrow (We Will Meet Onc
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1959] - NS - The Amazing NS - NS at Town Hall [320vbr]\[1959] - Nina Simone - The Amazing Nina Simone [320vbr]\09 - Nina Simone - Theme from Middle of the N
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1964-1966] - Nina Simone - Folksy Nina - Nina with Strings [320vbr]\[1966] - NS - Nina with Strings [320vbr]\18 - NS - Porgy, I Is Your Woman (Bess, You Is
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\02 - Colpix period (1959-1964, 10 albums)\[1964-1966] - Nina Simone - Folksy Nina - Nina with Strings [320vbr]\[1966] - NS - Nina with Strings [320vbr]\19 - NS - Gimme a Pigfoot (and a Bottle of Beer
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\03 - Philips period (1964-1967, 7 albums)\[1965-1966] - Nina Simone - Pastel Blues And Let It All Out [320vbr]\[1966] - Nina Simone - Let It All Out [320vbr]\17 - Nina Simone - The Ballad of Hollis B
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\03 - Philips period (1964-1967, 7 albums)\[1966] - Nina Simone - Wild Is the Wind AND High Priestes [320vbr]\[1966] - Nina Simone - High Priestess [320vbr]\12 - Nina Simone - Don't You Pay Them No Mi
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\03 - Philips period (1964-1967, 7 albums)\[1966] - Nina Simone - Wild Is the Wind AND High Priestes [320vbr]\[1966] - Nina Simone - High Priestess [320vbr]\21 - Nina Simone - He Ain't Coming Home No
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\03 - Philips period (1964-1967, 7 albums)\[1966] - Nina Simone - Wild Is the Wind AND High Priestes [320vbr]\[1966] - NS - Wild Is the Wind [320vbr]\09 - NS - Black Is The Color Of My True Love's Hai
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1969-1971] - Nina Simone - To Love Somebody and Here Comes The Sun [320vbr]\[1971] - Nina Simone - Here Comes The Sun [320vbr]\10 - Nina Semone - Here Comes The
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1969-1971] - Nina Simone - To Love Somebody and Here Comes The Sun [320vbr]\[1971] - Nina Simone - Here Comes The Sun [320vbr]\11 - Nina Semone - Just Like A Wo
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1969-1971] - Nina Simone - To Love Somebody and Here Comes The Sun [320vbr]\[1971] - Nina Simone - Here Comes The Sun [320vbr]\14 - Nina Semone - New World Comi
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1969-1971] - Nina Simone - To Love Somebody and Here Comes The Sun [320vbr]\[1971] - Nina Simone - Here Comes The Sun [320vbr]\15 - Nina Semone - Angle Of The M
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1969-1971] - Nina Simone - To Love Somebody and Here Comes The Sun [320vbr]\[1971] - Nina Simone - Here Comes The Sun [320vbr]\16 - Nina Semone - How Long Must
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1972-1974] - Nina Simone Emergency Ward & It Is Finished [320vbr]\[1972] - Nina Simone Emergency Ward [320vbr]\01 - Nina Simone - My Sweet Lord _ Today Is A Kil
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1972-1974] - Nina Simone Emergency Ward & It Is Finished [320vbr]\[1974] - Nina Simone - It Is Finished [320vbr]\06 - Nina Simone - Funkier Than A Mosquito`s Tw
Status: Hidden

Object: C:\Documents and Settings\User\My Documents\Downloads\N\04 - RCA period (1967-1974, 9 albums)\[1972-1974] - Nina Simone Emergency Ward & It Is Finished [320vbr]\[1974] - Nina Simone - It Is Finished [320vbr]\08 - Nina Simone - I Want A Little Sugar In My
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{ABBD9F53-FB9A-48F0-89E1-9718F6E58105}
Status: Access denied

ComboFix 09-08-10.06 - User 08/11/2009 20:12.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.502.275 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-07-30 17:59 . 2009-03-10 21:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-07-30 17:59 . 2009-07-30 17:59 -------- d-----w- c:\windows\system32\KB905474
2009-07-30 17:59 . 2009-03-10 21:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-07-30 13:48 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-30 13:48 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-30 13:47 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-30 13:47 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-07-30 13:47 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-07-30 13:47 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-30 13:47 . 2009-02-06 10:22 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-30 13:47 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-30 13:47 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-30 13:47 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-30 13:47 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-30 13:40 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-30 13:35 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\windows\system32\xircom
2009-07-28 15:16 . 2009-07-28 15:16 -------- d-----w- c:\program files\microsoft frontpage
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\scripting
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\l2schemas
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\en
2009-07-28 14:06 . 2009-07-30 13:01 -------- d-----w- c:\windows\system32\bits
2009-07-28 13:49 . 2007-06-13 11:26 1033216 ----a-w- c:\windows\system32\dllcache\explorer.exe
2009-07-28 13:48 . 2006-06-26 17:37 8192 ----a-w- c:\windows\system32\dllcache\rasadhlp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 19:11 . 2007-05-03 07:37 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-08-11 19:09 . 2008-04-17 18:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 21:13 . 2008-01-04 14:32 -------- d-----w- c:\documents and settings\User\Application Data\BitTorrent
2009-07-30 18:17 . 2008-10-03 08:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 13:01 . 2007-03-17 02:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-30 12:56 . 2009-07-03 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-29 17:33 . 2009-07-07 14:54 334544 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-28 15:20 . 2007-03-17 03:04 334544 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 14:52 . 2009-07-07 14:52 -------- d-----w- c:\documents and settings\Guest\Application Data\Trusteer
2009-07-05 14:08 . 2009-07-05 14:08 -------- d-----w- c:\program files\CCleaner
2009-07-03 23:01 . 2007-05-03 07:36 -------- d-----w- c:\program files\Google
2009-07-03 22:37 . 2009-07-03 22:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-01 11:42 . 2008-07-07 17:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 11:42 . 2008-06-11 14:31 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 11:42 . 2007-05-03 13:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 15:59 . 2005-10-13 00:14 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2004-08-03 21:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-03 21:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2001-08-23 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:24 . 2005-10-13 00:25 1291264 ----a-w- c:\windows\system32\quartz.dll
2007-10-04 00:05 . 2007-10-04 00:05 1808 ----a-w- c:\program files\HP Digital Imaging Monitor.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 766041]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-19 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-07-19 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-13 88204]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-17 113664]
DO!.txt [2009-8-11 13525]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-7-3 908280]
~$DIARY.doc [2008-3-1 162]
~$G HOURS.doc [2008-2-22 162]
~$nvoice.doc [2008-3-1 162]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/11/2008 3:31 PM 327688]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/11/2008 3:31 PM 108552]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2/26/2009 7:24 AM 57320]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/26/2009 7:24 AM 238952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 6:58 PM 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 6:58 PM 298776]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [6/1/2009 9:53 AM 648424]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [7/28/2009 2:48 PM 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-08-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-30 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://warpmail.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\oyr2coqe.default\
FF - prefs.js: browser.startup.homepage - hxxp://hernandez.blog.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 20:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3276)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-11 20:21
ComboFix-quarantined-files.txt 2009-08-11 19:20
ComboFix2.txt 2009-08-10 17:15

Pre-Run: 13,621,596,160 bytes free
Post-Run: 13,575,757,824 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
198 --- E O F --- 2009-07-30 18:01

Hello -

I see you're using or have in the past used p2p software such as BitTorrent. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks, which I can assure you are very real given the number of infections we see here every day that are the result of p2p program use. If you want to continue using p2p programs that's fine with me, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.

As for the redirects still nothing showing up that would be causing them... let's give this a run:

Please download GooredFix from here or here and save it to your Desktop

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Cheers,
Dave

i ran the application but it didn't give me any options.
this is the log that came up
thanks for your help dave



GooredFix by jpshortstuff (12.07.09)
Log created at 22:31 on 11/08/2009 (User)
Firefox version 3.5.2 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:59 03/07/2009]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [12:29 10/08/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [14:31 11/06/2008]

-=E.O.F=-

and yes, i use bittorrent a bit but not that much, the odd bit of music and films here and there. will not use it during this clean up
ta

Still getting any website redirects?

yes,
no change.
does it make a difference that firefox is my browser?
ta
dan

That's where we're headed next . Taking a look at your log I notice a whole lot of custom set firefox policies:

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

It seems that this exact set of custom policies is often found together... did you set these, or run a program or make some other change that did? If you have any knowledge of how these got there or (equally helpful) if you're sure you have no idea how they got there, let me know.

- Dave

Edited by Transience, 12 August 2009 - 07:16 AM.

aside from fiddling a bit with the clear private data settings i can't think of ever spending much time in the firefox options. i haven't run a program to change the settings either. firefox updates itself a lot though.

most of those listed i have no idea who why or what would have changed them,
certainly not me...

hmmm.

Edited by tryhardtobekind, 12 August 2009 - 07:47 PM.