Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect Virus ... Help Requested!

Started by jess07 , Mar 25 2009 08:12 PM

  • Please log in to reply

#1
jess07
Posted 25 March 2009 - 08:12 PM

jess07

    Member

  • Member
  • PipPip
  • 15 posts
Hi everyone,

I'm also struggling with the Google redirect virus that's going around. Here are the steps I've taken. I've followed all the steps in the Malware/Spyware Cleaning Guide, and here are the results:

Malwarebytes: Complete system scan, no malicious files detected
Avast & SuperAntiSpyware: Complete system scans, nothing found
Rooter: Will not run
ComboFix: Begins to load, then closes

On a possibly related note, I can no longer get sound to play on my computer. In Device Manager, there is a yellow question mark under "Other Devices" that says: Audio Device on High Definition Audio Bus. NO new audio hardware has been installed, and this happened almost immediately following when the Google redirects started last night.

Here's my OTListIt log. I also have HijackThis if needed. Advice is greatly appreciated!

---------------------

OTListIt logfile created on: 3/25/2009 7:04:03 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Jess\Desktop\PC Applications\Virus Removal
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 62.15% Memory free
3.35 Gb Paging File | 2.75 Gb Available in Paging File | 81.99% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 147.09 Gb Free Space | 63.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 649.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 27.85 Gb Total Space | 14.73 Gb Free Space | 52.89% Space Free | Partition Type: FAT32

Computer Name: J-X1O5HCTKDAW90
Current User Name: Jess
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\a-squared Free\a2service.exe (Emsi Software GmbH)
PRC - C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe (Jay Elaraj)
PRC - C:\Documents and Settings\Jess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\WINDOWS\system32\CSHelper.exe ()
PRC - C:\Program Files\iWin Games\iWinGamesInstaller.exe (iWin Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Jess\Desktop\PC Applications\Virus Removal\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (a2free [Auto | Running]) -- C:\Program Files\a-squared Free\a2service.exe (Emsi Software GmbH)
SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe ()
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CSHelper [Auto | Running]) -- C:\WINDOWS\system32\CSHelper.exe ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [On_Demand | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (iWinGamesInstaller [Auto | Running]) -- C:\Program Files\iWin Games\iWinGamesInstaller.exe (iWin Inc.)
SRV - (Ldaroxntdwi [Disabled | Stopped]) -- File not found
SRV - (LVCOMSer [Auto | Stopped]) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
SRV - (LVPrcSrv [Auto | Stopped]) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (Macromedia Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ()
SRV - (Ms2tiemes [On_Demand | Stopped]) -- File not found
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (vsmon [Auto | Running]) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (AEC671X [System | Stopped]) -- C:\WINDOWS\System32\drivers\AEC671X.SYS (Acard Technology Corp.)
DRV - (AmdLLD [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\AmdLLD.sys (AMD, Inc.)
DRV - (asc [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (DgiVecp [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DgiVecp.sys (DeviceGuys, Inc.)
DRV - (DMX3191 [System | Stopped]) -- C:\WINDOWS\System32\drivers\DMX3191.SYS (Microsoft Corporation)
DRV - (enodpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\enodpl.sys ()
DRV - (FilterService [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys (Logitech Inc.)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (lvpopflt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lvpopflt.sys (Logitech Inc.)
DRV - (LVPr2Mon [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys ()
DRV - (LVRS [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\lvrs.sys (Logitech Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (LVUVC [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lvuvc.sys (Logitech Inc.)
DRV - (ms_mpu401 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (MTsensor [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys ()
DRV - (nvax [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (NVENETFD [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\NVENETFD.sys (NVIDIA Corporation)
DRV - (nvnetbus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nvnetbus.sys (NVIDIA Corporation)
DRV - (nvnforce [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (pavboot [Boot | Running]) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (pcouffin [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\pcouffin.sys (VSO Software)
DRV - (pctvvbi [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\pctvvbi.sys (Pinnacle Systems)
DRV - (pepifilter [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\lv302af.sys (Logitech Inc.)
DRV - (PID_PEPI [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\LV302V32.SYS (Logitech Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Running]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (scsiscan [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\scsiscan.sys (Microsoft Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (Si3114r5 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Si3114r5.sys (Silicon Image, Inc)
DRV - (SiFilter [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc.)
DRV - (SiRemFil [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys (Silicon Image, Inc.)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (srescan [Boot | Running]) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Software Technologies LTD)
DRV - (tandpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\tandpl.sys ()
DRV - (tbhsd [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (truecrypt [System | Running]) -- C:\WINDOWS\system32\Drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (usbaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (vsdatant [System | Running]) -- C:\WINDOWS\System32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (yukonwxp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\yk51x86.sys (Marvell)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en"
FF - prefs.js..extensions.enabledItems: {A5994E3F-0D1C-4abb-AD80-B41B474DF865}:1.5
FF - prefs.js..extensions.enabledItems: {cc4dacb5-8c7c-6ac0-dd91-f57a9399d48e}:0.1.4
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.93
FF - prefs.js..extensions.enabledItems: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}:0.9.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.11.09
FF - prefs.js..extensions.enabledItems: {91aa5abe-9de4-4347-b7b5-322c38dd9271}:3.1
FF - prefs.js..extensions.enabledItems: {671c8440-f787-11dc-95ff-0800200c9a66}:1.0.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.22
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:6.2.1.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: [email protected]:1.6.4
FF - prefs.js..extensions.enabledItems: [email protected]:3.1.0
FF - prefs.js..extensions.enabledItems: {317B5128-0B0B-49b2-B2DB-1E7560E16C74}:2.5.4
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.28
FF - prefs.js..extensions.enabledItems: {89736E8E-4B14-4042-8C75-AD00B6BD3900}:1.0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX [2009/01/04 13:22:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/25 17:45:35 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/25 06:33:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/16 15:31:03 | 00,000,000 | ---D | M]

[2008/06/25 23:06:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Extensions
[2008/06/25 23:06:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\{20291fcc-1471-46c8-8213-0911f5ce6d66}
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\{4BCC5CF2-DD1B-4f34-80BA-E5A2355D3936}
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\{89736E8E-4B14-4042-8C75-AD00B6BD3900}
[2008/09/25 20:31:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}
[2008/09/25 20:31:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\[email protected]
[2008/09/25 20:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\backup-x0vzmvd8.default\extensions\[email protected]
[2009/03/25 18:47:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions
[2009/03/15 00:42:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
[2009/03/04 03:28:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2009/03/12 06:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{671c8440-f787-11dc-95ff-0800200c9a66}
[2009/03/20 23:11:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2008/09/08 23:18:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{89736E8E-4B14-4042-8C75-AD00B6BD3900}
[2009/01/15 19:13:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}
[2009/03/19 18:02:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{A5994E3F-0D1C-4abb-AD80-B41B474DF865}
[2009/03/15 17:13:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/02/26 15:25:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{cc4dacb5-8c7c-6ac0-dd91-f57a9399d48e}
[2009/03/24 23:36:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]
[2008/10/20 00:47:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]
[2009/03/04 13:49:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]
[2009/03/22 01:22:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]
[2009/03/09 21:34:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jess\Application Data\mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]
[2009/02/05 01:25:39 | 00,001,504 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\imdb.xml
[2009/03/23 13:03:55 | 00,001,172 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\swagbuckscom.xml
[2009/02/05 01:25:46 | 00,000,705 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\webster.xml
[2008/11/21 23:08:15 | 00,001,032 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\wikipedia-eng.xml
[2009/02/26 15:21:29 | 00,002,577 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\wordpot---the-keyword-finder.xml
[2009/02/12 20:42:25 | 00,005,595 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\Mozilla\FireFox\Profiles\x0vzmvd8.default\searchplugins\wordtracker.xml
[2009/03/25 18:47:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/07 00:35:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/25 17:45:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/03/07 00:35:37 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/07 00:35:37 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/07 00:35:45 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/03/07 00:35:45 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/03/07 00:35:45 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/03/07 00:35:45 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/03/07 00:35:45 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/07 00:35:45 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/03/07 00:35:45 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (291282 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 10032 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" (ALWIL Software)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UpdateService\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot (Nuance Communications, Inc.)
O4 - HKLM..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Google Update] "C:\Documents and Settings\Jess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKCU..\Run: [Taskbar Shuffle] "C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe" (Jay Elaraj)
O4 - Startup: C:\Documents and Settings\Jess\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - File not found
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: spoonyexperiment.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Value error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\khfFwUli) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - E:\AutoRun.exe (TODO: <Company name>) - [ CDFS ]
O32 - Autorun File - E:\autorun.inf () - [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\autorun.exe -- [2003/11/08 07:33:06 | 10,268,672 | R--- | M] (TODO: <Company name>)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/03/25 17:34:05 | 01,339,834 | ---- | C] () -- C:\MGtools.exe
[2009/03/25 17:02:59 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/25 16:58:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/25 16:58:22 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Jess\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/03/25 16:58:14 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/25 16:49:56 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/03/25 15:44:52 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/03/25 15:43:36 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/03/25 07:38:00 | 21,470,12608 | -HS- | C] () -- C:\hiberfil.sys
[2009/03/25 07:34:43 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/03/25 07:34:43 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/03/25 07:34:42 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/03/25 07:34:41 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/03/25 07:34:40 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/03/25 07:34:40 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/03/25 07:34:40 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/03/25 07:34:40 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/03/25 07:34:26 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/03/25 07:34:26 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/03/25 06:25:15 | 00,000,140 | ---- | C] () -- C:\Documents and Settings\Jess\My Documents\cf.html
[2009/03/25 06:10:25 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/25 06:09:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\My Documents\Downloads
[2009/03/25 06:05:19 | 00,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-2052111302-725345543-1004.job
[2009/03/25 05:49:58 | 00,000,000 | ---D | C] -- C:\SDFix
[2009/03/25 05:38:48 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2009/03/25 05:38:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\My Documents\a-squared Free
[2009/03/25 05:24:41 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/25 05:24:38 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/25 05:24:36 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/25 05:11:20 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/03/25 00:18:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\My Documents\Micro Niche Finder
[2009/03/25 00:18:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Micro Niche Finder
[2009/03/25 00:18:12 | 00,000,000 | ---D | C] -- C:\Program Files\Micro Niche Finder
[2009/03/22 00:34:50 | 00,000,211 | ---- | C] () -- C:\Documents and Settings\Jess\Desktop\Google.url
[2009/03/17 02:31:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\Local Settings\Application Data\IsolatedStorage
[2009/03/17 02:29:41 | 00,000,000 | ---D | C] -- C:\Program Files\Incansoft
[2009/03/16 15:32:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/03/16 15:30:33 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/03/15 01:08:29 | 00,000,000 | ---D | C] -- C:\Program Files\Power Article Rewriter
[2009/03/15 00:45:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\Application Data\CyberMatrix
[2009/03/15 00:45:05 | 00,000,000 | ---D | C] -- C:\Program Files\Clipboard Magic
[2009/03/15 00:42:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\My Documents\iMacros
[2009/03/07 00:18:19 | 00,001,467 | ---- | C] () -- C:\Documents and Settings\Jess\Desktop\Internet Marketing.lnk
[2009/03/07 00:17:56 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Jess\My Documents\Internet Marketing
[2009/03/06 05:01:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/03/05 21:13:08 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Jess\Desktop\Niche Sites
[2009/03/05 21:02:03 | 00,000,000 | ---D | C] -- C:\Program Files\pp
[2009/03/05 16:14:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\Local Settings\Application Data\AMIArticleWriter
[2009/03/05 15:00:50 | 00,000,000 | ---D | C] -- C:\Program Files\AMI Article Writer
[2009/03/05 14:46:29 | 00,000,000 | ---D | C] -- C:\Program Files\G-Lock Software
[2009/03/05 14:46:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\Application Data\G-Lock Software
[2009/03/03 22:37:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2009/03/02 17:20:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\My Documents\Web Stuff
[2009/03/01 16:19:13 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Jess\Desktop\Downloads
[2009/02/28 00:27:34 | 00,000,000 | ---D | C] -- C:\Program Files\GamerLog
[2009/02/27 19:28:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/02/24 17:39:17 | 00,034,304 | ---- | C] (AMD, Inc.) -- C:\WINDOWS\System32\drivers\AmdLLD.sys
[2009/02/24 17:39:16 | 00,000,000 | ---D | C] -- C:\Program Files\AMD
[2009/02/24 17:31:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jess\Local Settings\Application Data\Downloaded Installations
[2009/02/24 16:09:39 | 00,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2009/02/24 16:09:39 | 00,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2009/02/24 15:57:42 | 00,000,000 | ---D | C] -- C:\Program Files\Ubisoft

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/03/25 18:32:02 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-2052111302-725345543-1004.job
[2009/03/25 17:40:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/25 17:40:25 | 00,348,370 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/03/25 17:40:03 | 21,470,12608 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/25 17:38:57 | 08,077,958 | -H-- | M] () -- C:\Documents and Settings\Jess\Local Settings\Application Data\IconCache.db
[2009/03/25 17:34:05 | 01,339,834 | ---- | M] () -- C:\MGtools.exe
[2009/03/25 16:58:22 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Jess\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/03/25 16:21:55 | 00,000,643 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/25 16:21:55 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/25 16:21:55 | 00,000,223 | RHS- | M] () -- C:\boot.ini
[2009/03/25 07:34:40 | 00,002,639 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/03/25 07:23:46 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/25 06:25:16 | 00,000,140 | ---- | M] () -- C:\Documents and Settings\Jess\My Documents\cf.html
[2009/03/25 00:22:28 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/24 18:21:51 | 00,066,560 | ---- | M] () -- C:\Documents and Settings\Jess\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/23 15:24:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/22 00:34:50 | 00,000,211 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Google.url
[2009/03/21 04:08:30 | 00,000,542 | ---- | M] () -- C:\WINDOWS\tasks\Weekly Backup.job
[2009/03/20 17:03:26 | 00,002,873 | ---- | M] () -- C:\Documents and Settings\Jess\Application Data\SAS7_000.DAT
[2009/03/20 04:13:49 | 00,002,521 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Microsoft Office Outlook 2003.lnk
[2009/03/11 05:47:11 | 00,329,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/09 02:33:30 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/03/07 05:59:24 | 00,001,467 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Internet Marketing.lnk
[2009/03/02 17:27:00 | 00,001,610 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Endicia.lnk
[2009/03/02 17:26:53 | 00,001,600 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Quickbooks.lnk
[2009/03/02 17:25:55 | 00,001,412 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\Freelance.lnk
[2009/03/02 17:25:34 | 00,001,498 | ---- | M] () -- C:\Documents and Settings\Jess\Desktop\TSE.lnk
[2009/03/01 04:00:00 | 00,000,382 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:912389B7
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8658F1F5
@Alternate Data Stream - 766 bytes -> C:\Documents and Settings\Jess\Desktop\Japan National Postal Codes.url:favicon
@Alternate Data Stream - 500 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0664ADFC
@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69FD6BF0
@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6677D85A
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0AA21473
@Alternate Data Stream - 1438 bytes -> C:\Documents and Settings\Jess\Desktop\Country Abbreviations.url:favicon
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2836460B
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:95EBD4E0
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4DDCE10B
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:353FE71F
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:353B2FF9
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:75A89023
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E11ABA64
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6346EE9
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:97C84299
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:43E95997
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AEC895D8
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6BF0805F
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:543CAD1B
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1037D53D
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\Jess\Desktop\Google.url:favicon
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\Jess\Desktop\ATP Tennis.url:favicon
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF794BCD
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E1D818F7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:991838E5
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:708BB0FA
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F1019FF
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33AFD01D
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4CF4C16
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6520B0F3
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:462F5905
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E862007A
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0EB1DE
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA50D64F
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:145EE4E0
< End of report >
  • 0

Advertisements

#2
kahdah
Posted 26 March 2009 - 06:34 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello jess07

Welcome to G2Go. :)
=====================
Download the GMER Rootkit Scanner.
Click the Download exe button and save the randomly named file to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click randomlynamed.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#3
jess07
Posted 26 March 2009 - 11:01 PM

jess07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for your help! I didn't get any kind of rootkit alert during scanning, but my computer did crash the first two times I ran it, so hopefully third time was the charm. Here's my log:



GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 21:50:47
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACCB26B8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xACE638D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xACE606E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACCB2574]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xACE63E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xACE6AC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xACE6AE90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xACE6ED50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xACE63F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xACE60C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xACE6DD10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACCB2A52]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xACE6A600]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xACE6E230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xACE6E2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xACE60AD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACCB264E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xACE6C4F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xACE6C2B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACCB276E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xACE6E970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xACE6E3D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xACE634F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACCB272E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xACE63AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xACE60EA0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACCB28AE]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xACE6B580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xACE6B400]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [90, 3E, E6, AC, 80, AC, E6, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80504760 8 Bytes JMP 6420F44B
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9BFB8AC 5 Bytes JMP 8BAC8770
? System32\Drivers\ax4pfb9q.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [ACE68410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [ACE66780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [ACE68B50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [ACE68220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[992] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[992] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8BBC51E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 8A0AE1E8
Device \Driver\usbstor \Device\0000008f 8A37A1E8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{F86FBBEE-58FE-4F4B-AE52-4DCEB81B3148} 8A3E1790
Device \Driver\usbohci \Device\USBPDO-0 8BA334D8
Device \Driver\usbehci \Device\USBPDO-1 8BAAB1E8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_NTPNP5362 \Device\00000056 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8BB551E8
Device \Driver\Cdrom \Device\CdRom0 8B9F21E8
Device \Driver\Cdrom \Device\CdRom1 8B9F21E8
Device \Driver\Cdrom \Device\CdRom2 8B9F21E8
Device \Driver\usbstor \Device\00000090 8A37A1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A3E1790
Device \Driver\NetBT \Device\NetbiosSmb 8A3E1790
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 8BA334D8
Device \Driver\usbehci \Device\USBFDO-1 8BAAB1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A39D1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{16C28E3C-D6A6-45B7-8729-C140FE68FE33} 8A3E1790
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A39D1E8
Device \Driver\Ftdisk \Device\FtControl 8BB551E8
Device \Driver\usbstor \Device\0000008c 8A37A1E8
Device \Driver\ax4pfb9q \Device\Scsi\ax4pfb9q1Port7Path0Target0Lun0 8B9E5790
Device \Driver\asc \Device\Scsi\asc4 8BB541E8
Device \Driver\ax4pfb9q \Device\Scsi\ax4pfb9q1 8B9E5790
Device \Driver\usbstor \Device\0000008d 8A37A1E8
Device \FileSystem\Fastfat \Fat 8A0AE1E8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 8A20D1E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x7B 0x6D 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x42 0x21 0x71 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD8 0x27 0x18 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x7B 0x6D 0x30 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x42 0x21 0x71 0xD5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0F 0x3A 0x57 0x9F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x7B 0x6D 0x30 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x42 0x21 0x71 0xD5 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD8 0x27 0x18 0x0D ...

---- EOF - GMER 1.0.15 ----
  • 0

#4
kahdah
Posted 27 March 2009 - 06:08 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Make sure to Disable your Antivirus before running Combofix:
Also do Install the Recovery Console when asked.
=====================================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

  • 0

#5
jess07
Posted 27 March 2009 - 02:51 PM

jess07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm surprised ComboFix actually ran this time! I've tried 4 - 5 times before and it wouldn't run at all. Here's the log (I'll put HijackThis in another post):

---------------

ComboFix 09-03-26.03 - Jess 2009-03-27 13:20:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1469 [GMT -7:00]
Running from: c:\documents and settings\Jess\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090327-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jess\Application Data\.#
c:\documents and settings\Jess\Application Data\inst.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-27 00:31 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-26 23:18 . 2009-03-26 23:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-26 22:56 . 2008-07-10 04:07 7,143 --a------ c:\windows\system32\nvide.nvu
2009-03-26 22:45 . 2009-03-26 22:45 <DIR> d-------- c:\program files\Realtek
2009-03-26 22:45 . 2008-12-25 17:32 3,721,664 --a------ c:\windows\system32\drivers\RtKHDMI.sys
2009-03-26 22:45 . 2008-09-19 17:48 1,200,128 --a------ c:\windows\RtkUpd.exe
2009-03-26 22:45 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-03-26 22:44 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-03-26 22:43 . 2009-03-26 22:52 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-26 22:43 . 2009-03-26 22:44 <DIR> d-------- C:\df5d269521e7178ee5353eedf50079b1
2009-03-26 22:23 . 2009-03-26 22:23 <DIR> d-------- C:\4d1e0cd4b1d198a0b35892d85f5e
2009-03-26 22:22 . 2009-03-26 22:22 <DIR> dr-h----- C:\AHCache
2009-03-26 22:22 . 2009-03-26 22:31 <DIR> d-------- C:\45aeb7847de6336e6dad757adda0
2009-03-26 22:21 . 2009-03-26 23:05 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2009-03-26 03:19 . 2008-08-20 18:35 453,152 --a------ c:\windows\system32\nvusmb.exe
2009-03-26 03:19 . 2008-04-13 17:12 23,552 --a------ c:\windows\system32\wdmaud.drv
2009-03-26 03:19 . 2008-04-13 17:12 23,552 --a--c--- c:\windows\system32\dllcache\wdmaud.drv
2009-03-26 03:18 . 2008-08-21 15:15 2,306 --a------ c:\windows\system32\nvsmb.nvu
2009-03-26 03:06 . 2009-03-26 03:06 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-03-26 03:06 . 2009-03-26 03:06 <DIR> d-------- c:\documents and settings\Jess\Application Data\SystemRequirementsLab
2009-03-26 02:58 . 2009-03-26 23:18 <DIR> d-------- c:\program files\Uniblue
2009-03-26 02:58 . 2009-03-26 23:18 <DIR> d-------- c:\documents and settings\Jess\Application Data\Uniblue
2009-03-26 02:58 . 2009-03-26 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-03-26 02:56 . 2009-03-26 02:58 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-03-26 02:43 . 2009-03-26 02:43 <DIR> d-------- c:\program files\Belarc
2009-03-26 02:43 . 2008-02-27 13:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2009-03-26 01:33 . 2009-03-26 01:33 <DIR> d-------- C:\Rogue Removal Kit
2009-03-25 22:42 . 2009-03-25 22:59 2,934,705 --a------ C:\ComboFix.exe
2009-03-25 17:45 . 2009-03-25 17:45 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-25 17:34 . 2009-03-25 17:34 1,339,834 --a------ C:\MGtools.exe
2009-03-25 17:02 . 2009-03-25 17:03 <DIR> d-------- C:\Rooter$
2009-03-25 16:58 . 2009-03-25 16:58 <DIR> d-------- c:\program files\ERUNT
2009-03-25 15:44 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-25 15:43 . 2009-03-25 15:43 <DIR> d-------- c:\program files\Panda Security
2009-03-25 06:45 . 2009-03-25 06:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-25 06:32 . 2009-03-25 17:46 <DIR> d-------- c:\documents and settings\Administrator
2009-03-25 06:11 . 2009-03-25 06:11 <DIR> d-------- c:\documents and settings\Jess\.housecall6.6
2009-03-25 06:10 . 2009-03-25 07:23 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-25 05:49 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-03-25 05:38 . 2009-03-25 06:25 <DIR> d-------- c:\program files\a-squared Free
2009-03-25 05:24 . 2009-03-25 05:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 05:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 05:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 05:11 . 2009-03-25 05:12 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\program files\Micro Niche Finder
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\documents and settings\All Users\Micro Niche Finder Service
2009-03-25 00:18 . 2009-03-26 04:58 <DIR> d-------- c:\documents and settings\All Users\Micro Niche Finder
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Micro Niche Finder
2009-03-17 02:29 . 2009-03-17 02:30 <DIR> d-------- c:\program files\Incansoft
2009-03-16 15:32 . 2009-03-16 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 15:30 . 2009-03-16 15:31 <DIR> d-------- c:\program files\QuickTime
2009-03-15 01:08 . 2009-03-15 02:52 <DIR> d-------- c:\program files\Power Article Rewriter
2009-03-15 00:45 . 2009-03-15 00:45 <DIR> d-------- c:\program files\Clipboard Magic
2009-03-15 00:45 . 2009-03-15 00:46 <DIR> d-------- c:\documents and settings\Jess\Application Data\CyberMatrix
2009-03-05 21:02 . 2009-03-25 05:06 <DIR> d-------- c:\program files\pp
2009-03-05 15:00 . 2009-03-08 01:10 <DIR> d-------- c:\program files\AMI Article Writer
2009-03-05 14:46 . 2009-03-05 14:46 <DIR> d-------- c:\program files\G-Lock Software
2009-03-05 14:46 . 2009-03-05 14:46 <DIR> d-------- c:\documents and settings\Jess\Application Data\G-Lock Software
2009-03-03 22:37 . 2009-03-03 22:49 <DIR> d-------- c:\windows\BDOSCAN8
2009-02-28 00:27 . 2009-02-28 00:40 <DIR> d-------- c:\program files\GamerLog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 20:41 --------- d-----w c:\program files\Taskbar Shuffle
2009-03-27 06:32 --------- d-----w c:\documents and settings\Jess\Application Data\wsInspector
2009-03-27 06:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-27 06:11 --------- d-----w c:\documents and settings\Jess\Application Data\uTorrent
2009-03-27 05:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 00:26 --------- d-----w c:\program files\Java
2009-03-26 00:23 --------- d-----w c:\program files\Logitech
2009-03-26 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 12:15 --------- d-----w c:\program files\Common Files\Apple
2009-03-25 11:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 12:14 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-21 00:03 2,873 ----a-w c:\documents and settings\Jess\Application Data\SAS7_000.DAT
2009-03-16 22:32 --------- d-----w c:\program files\iTunes
2009-03-16 22:32 --------- d-----w c:\program files\iPod
2009-03-04 05:07 --------- d-----w c:\program files\Totem Tribe
2009-03-04 05:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 00:39 --------- d-----w c:\program files\AMD
2009-02-24 22:57 --------- d-----w c:\program files\Ubisoft
2009-02-23 07:20 --------- d-----w c:\program files\r2 Studios
2009-02-11 08:22 53,248 ----a-w c:\documents and settings\Jess\lametritonus_en.dll
2009-02-11 08:22 162,304 ----a-w c:\documents and settings\Jess\lame_enc_en.dll
2009-02-05 12:00 --------- d-----w c:\program files\MSXML 4.0
2009-02-04 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-02-04 09:02 --------- d-----w c:\documents and settings\Jess\Application Data\Nuance
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\Nuance
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-04 08:59 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2009-02-04 08:58 --------- d-----w c:\program files\Nuance
2009-02-04 08:58 --------- d-----w c:\documents and settings\All Users\Application Data\Nuance
2009-02-04 08:24 --------- d-----w c:\program files\PeerGuardian2
2009-01-31 09:04 --------- d-----w c:\program files\IObit
2009-01-31 09:04 --------- d-----w c:\documents and settings\Jess\Application Data\IObit
2009-01-29 23:49 --------- d-----w c:\documents and settings\Jess\Application Data\PlayFirst
2009-01-29 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-28 05:50 --------- d-----w c:\documents and settings\Jess\Application Data\Move Networks
2009-01-27 23:38 --------- d-----w c:\program files\ReflexiveArcade
2008-03-22 04:25 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-18 00:29 81,920 -c--a-w c:\documents and settings\Jess\Application Data\ezpinst.exe
2007-12-18 00:29 47,360 -c--a-w c:\documents and settings\Jess\Application Data\pcouffin.sys
2008-09-08 04:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UpdateService\ISUSPM.exe" [2005-02-16 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 148888]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]

c:\documents and settings\Jess\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-09 13:35 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= PCLEPIM1.dll
"aux7"= c:\windows\system32\..\tlfe.cpv

[HKLM\~\startupfolder\C:^Documents and Settings^Jess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
--a------ 2007-04-16 07:33 259624 c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 09:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Eraser"=c:\program files\Eraser\Eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\FireFly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-25 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-25 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-25 20560]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-19 266240]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [1998-05-05 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [1999-02-23 17700]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 Nasopsmgr;Nasopsmgr; [x]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2008-07-18 6400]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2007-08-01 11520]
S4 Ldaroxntdwi;Ldaroxntdwi; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-2052111302-725345543-1004.job
- c:\documents and settings\Jess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-25 06:06]

2009-03-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-03-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-31 02:04]

2009-03-21 c:\windows\Tasks\Weekly Backup.job
- c:\program files\Future Systems Solutions\Casper 4.0\CASPER.EXE [2007-10-09 22:24]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: spoonyexperiment.com\www
FF - ProfilePath - c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jess\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 13:42:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-27 13:44:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 20:44:34

Pre-Run: 155,754,291,200 bytes free
Post-Run: 155,503,435,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

349 --- E O F --- 2009-03-27 12:00:56
  • 0

#6
jess07
Posted 27 March 2009 - 02:53 PM

jess07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HijackThis log:

--------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:51 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UpdateService\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] "C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.spoonyexperiment.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10638 bytes
  • 0

#7
kahdah
Posted 27 March 2009 - 05:17 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Open notepad and copy/paste the text in the codebox below into it:



http://www.geekstogo.com/forum/Google-Redirect-Virus-Help-Requested-t233445.html

Collect::
c:\windows\tlfe.cpv
Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantined Files\Submit(Time and date here).zip

Click Here to upload the submit.zip please.
  • 0

#8
jess07
Posted 27 March 2009 - 07:41 PM

jess07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks again for your help! ComboFix ran and the file was uploaded - here's the new log:

ComboFix 09-03-26.03 - Jess 2009-03-27 18:33:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1402 [GMT -7:00]
Running from: c:\documents and settings\Jess\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jess\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090327-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\tlfe.cpv

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-27 00:31 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-26 23:18 . 2009-03-26 23:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-26 22:56 . 2008-07-10 04:07 7,143 --a------ c:\windows\system32\nvide.nvu
2009-03-26 22:45 . 2009-03-26 22:45 <DIR> d-------- c:\program files\Realtek
2009-03-26 22:45 . 2008-12-25 17:32 3,721,664 --a------ c:\windows\system32\drivers\RtKHDMI.sys
2009-03-26 22:45 . 2008-09-19 17:48 1,200,128 --a------ c:\windows\RtkUpd.exe
2009-03-26 22:45 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-03-26 22:44 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-03-26 22:43 . 2009-03-26 22:52 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-26 22:43 . 2009-03-26 22:44 <DIR> d-------- C:\df5d269521e7178ee5353eedf50079b1
2009-03-26 22:23 . 2009-03-26 22:23 <DIR> d-------- C:\4d1e0cd4b1d198a0b35892d85f5e
2009-03-26 22:22 . 2009-03-26 22:22 <DIR> dr-h----- C:\AHCache
2009-03-26 22:22 . 2009-03-26 22:31 <DIR> d-------- C:\45aeb7847de6336e6dad757adda0
2009-03-26 22:21 . 2009-03-26 23:05 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2009-03-26 03:19 . 2008-08-20 18:35 453,152 --a------ c:\windows\system32\nvusmb.exe
2009-03-26 03:19 . 2008-04-13 17:12 23,552 --a------ c:\windows\system32\wdmaud.drv
2009-03-26 03:19 . 2008-04-13 17:12 23,552 --a--c--- c:\windows\system32\dllcache\wdmaud.drv
2009-03-26 03:18 . 2008-08-21 15:15 2,306 --a------ c:\windows\system32\nvsmb.nvu
2009-03-26 03:06 . 2009-03-26 03:06 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-03-26 03:06 . 2009-03-26 03:06 <DIR> d-------- c:\documents and settings\Jess\Application Data\SystemRequirementsLab
2009-03-26 02:58 . 2009-03-26 23:18 <DIR> d-------- c:\program files\Uniblue
2009-03-26 02:58 . 2009-03-26 23:18 <DIR> d-------- c:\documents and settings\Jess\Application Data\Uniblue
2009-03-26 02:58 . 2009-03-26 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-03-26 02:56 . 2009-03-26 02:58 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-03-26 02:43 . 2009-03-26 02:43 <DIR> d-------- c:\program files\Belarc
2009-03-26 02:43 . 2008-02-27 13:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2009-03-26 01:33 . 2009-03-26 01:33 <DIR> d-------- C:\Rogue Removal Kit
2009-03-25 17:45 . 2009-03-25 17:45 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-25 17:02 . 2009-03-25 17:03 <DIR> d-------- C:\Rooter$
2009-03-25 16:58 . 2009-03-25 16:58 <DIR> d-------- c:\program files\ERUNT
2009-03-25 15:44 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-25 15:43 . 2009-03-25 15:43 <DIR> d-------- c:\program files\Panda Security
2009-03-25 06:45 . 2009-03-25 06:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-25 06:32 . 2009-03-25 17:46 <DIR> d-------- c:\documents and settings\Administrator
2009-03-25 06:11 . 2009-03-25 06:11 <DIR> d-------- c:\documents and settings\Jess\.housecall6.6
2009-03-25 06:10 . 2009-03-25 07:23 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-25 05:49 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-03-25 05:38 . 2009-03-25 06:25 <DIR> d-------- c:\program files\a-squared Free
2009-03-25 05:24 . 2009-03-25 05:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-25 05:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 05:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-25 05:11 . 2009-03-25 05:12 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\program files\Micro Niche Finder
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\documents and settings\All Users\Micro Niche Finder Service
2009-03-25 00:18 . 2009-03-26 04:58 <DIR> d-------- c:\documents and settings\All Users\Micro Niche Finder
2009-03-25 00:18 . 2009-03-25 00:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Micro Niche Finder
2009-03-17 02:29 . 2009-03-17 02:30 <DIR> d-------- c:\program files\Incansoft
2009-03-16 15:32 . 2009-03-16 15:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 15:30 . 2009-03-16 15:31 <DIR> d-------- c:\program files\QuickTime
2009-03-15 01:08 . 2009-03-15 02:52 <DIR> d-------- c:\program files\Power Article Rewriter
2009-03-15 00:45 . 2009-03-15 00:45 <DIR> d-------- c:\program files\Clipboard Magic
2009-03-15 00:45 . 2009-03-15 00:46 <DIR> d-------- c:\documents and settings\Jess\Application Data\CyberMatrix
2009-03-05 21:02 . 2009-03-25 05:06 <DIR> d-------- c:\program files\pp
2009-03-05 15:00 . 2009-03-08 01:10 <DIR> d-------- c:\program files\AMI Article Writer
2009-03-05 14:46 . 2009-03-05 14:46 <DIR> d-------- c:\program files\G-Lock Software
2009-03-05 14:46 . 2009-03-05 14:46 <DIR> d-------- c:\documents and settings\Jess\Application Data\G-Lock Software
2009-03-03 22:37 . 2009-03-03 22:49 <DIR> d-------- c:\windows\BDOSCAN8
2009-02-28 00:27 . 2009-02-28 00:40 <DIR> d-------- c:\program files\GamerLog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 20:41 --------- d-----w c:\program files\Taskbar Shuffle
2009-03-27 06:32 --------- d-----w c:\documents and settings\Jess\Application Data\wsInspector
2009-03-27 06:27 1,847,808 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-27 06:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-27 06:11 --------- d-----w c:\documents and settings\Jess\Application Data\uTorrent
2009-03-27 05:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 00:45 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-26 00:26 --------- d-----w c:\program files\Java
2009-03-26 00:23 --------- d-----w c:\program files\Logitech
2009-03-26 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 12:15 --------- d-----w c:\program files\Common Files\Apple
2009-03-25 11:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-24 12:14 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-21 00:03 2,873 ----a-w c:\documents and settings\Jess\Application Data\SAS7_000.DAT
2009-03-16 22:32 --------- d-----w c:\program files\iTunes
2009-03-16 22:32 --------- d-----w c:\program files\iPod
2009-03-04 05:07 --------- d-----w c:\program files\Totem Tribe
2009-03-04 05:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 00:39 --------- d-----w c:\program files\AMD
2009-02-24 22:57 --------- d-----w c:\program files\Ubisoft
2009-02-23 07:20 --------- d-----w c:\program files\r2 Studios
2009-02-19 19:50 266,240 ----a-w c:\windows\system32\CSHelper.exe
2009-02-19 19:50 225,280 ----a-w c:\windows\system32\CSInstru.DLL
2009-02-11 12:11 6,326,761 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-11 08:22 53,248 ----a-w c:\documents and settings\Jess\lametritonus_en.dll
2009-02-11 08:22 162,304 ----a-w c:\documents and settings\Jess\lame_enc_en.dll
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 12:00 --------- d-----w c:\program files\MSXML 4.0
2009-02-04 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-02-04 09:02 --------- d-----w c:\documents and settings\Jess\Application Data\Nuance
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\Nuance
2009-02-04 08:59 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-04 08:59 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2009-02-04 08:58 --------- d-----w c:\program files\Nuance
2009-02-04 08:58 --------- d-----w c:\documents and settings\All Users\Application Data\Nuance
2009-02-04 08:24 --------- d-----w c:\program files\PeerGuardian2
2009-01-31 09:04 --------- d-----w c:\program files\IObit
2009-01-31 09:04 --------- d-----w c:\documents and settings\Jess\Application Data\IObit
2009-01-29 23:49 --------- d-----w c:\documents and settings\Jess\Application Data\PlayFirst
2009-01-29 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-28 05:50 --------- d-----w c:\documents and settings\Jess\Application Data\Move Networks
2008-03-22 04:25 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-18 00:29 81,920 -c--a-w c:\documents and settings\Jess\Application Data\ezpinst.exe
2007-12-18 00:29 47,360 -c--a-w c:\documents and settings\Jess\Application Data\pcouffin.sys
2008-09-08 04:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UpdateService\ISUSPM.exe" [2005-02-16 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-25 148888]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]

c:\documents and settings\Jess\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-09 13:35 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= PCLEPIM1.dll
"aux7"= c:\windows\system32\..\tlfe.cpv

[HKLM\~\startupfolder\C:^Documents and Settings^Jess^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
--a------ 2007-04-16 07:33 259624 c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 09:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Eraser"=c:\program files\Eraser\Eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\FireFly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-25 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-25 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-25 20560]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-19 266240]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [1998-05-05 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [1999-02-23 17700]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 Nasopsmgr;Nasopsmgr; [x]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2008-07-18 6400]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2007-08-01 11520]
S4 Ldaroxntdwi;Ldaroxntdwi; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-2052111302-725345543-1004.job
- c:\documents and settings\Jess\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-25 06:06]

2009-03-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-03-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-31 02:04]

2009-03-21 c:\windows\Tasks\Weekly Backup.job
- c:\program files\Future Systems Solutions\Casper 4.0\CASPER.EXE [2007-10-09 22:24]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: spoonyexperiment.com\www
FF - ProfilePath - c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - plugin: c:\documents and settings\Jess\Application Data\Mozilla\Firefox\Profiles\x0vzmvd8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jess\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 18:35:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-27 18:36:25
ComboFix-quarantined-files.txt 2009-03-28 01:36:23
ComboFix2.txt 2009-03-27 20:44:39

Pre-Run: 155,485,126,656 bytes free
Post-Run: 155,463,389,184 bytes free

325 --- E O F --- 2009-03-27 12:00:56
  • 0

#9
kahdah
Posted 28 March 2009 - 05:48 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Any more redirects?
  • 0

#10
jess07
Posted 28 March 2009 - 04:04 PM

jess07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I think we're in the clear! No Google redirects thus far, and I was able to visit the Bleeping Computer website (previously that would *always* crash my browser) and I ran an update on MalwareBytes, which would instantly close down the program before. Fantastic work, Kahdah! :-D
  • 0

#11
kahdah
Posted 28 March 2009 - 05:11 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome.

Go ahead and run Malwarebytes and remove all that it finds.
Then post the log here and we will wrap it up.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP