[fenzodahl512]

Lets do this first..


1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\Windows\system32\drivers\ovfsthdjbiqmhlvvhopwxwrkwwpdsmhvknqlrv.sys

Driver::
ovfsthtsrtuiqaqpmupfxvkbmlruubofylvvrn

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ovfsthtsrtuiqaqpmupfxvkbmlruubofylvvrn]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[Advertisements]

Here is combofix's log. By the way, i forgot to turn off the windows firewall on this combofix. So, i do not know if it has affected the results that are to be expected.

ComboFix 09-04-19.05 - Christian 04/19/2009 9:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.663 [GMT -7:00]
Running from: c:\documents and settings\Christian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christian\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthdjbiqmhlvvhopwxwrkwwpdsmhvknqlrv.sys

.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-17 13:42 . 2009-04-17 13:42 118 ----a-w c:\windows\system32\MRT.INI
2009-04-17 04:23 . 2009-04-17 04:23 -------- d-----w C:\_OTMoveIt
2009-04-16 23:34 . 2008-04-14 00:12 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-16 23:25 . 2009-04-16 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-16 23:23 . 2009-04-19 16:32 186097 ----a-w c:\windows\system32\nvapps.xml
2009-04-16 23:23 . 2008-05-16 21:01 446464 ----a-w c:\windows\system32\nvudisp.exe
2009-04-16 23:23 . 2008-05-16 21:01 18070 ----a-w c:\windows\system32\nvdisp.nvu
2009-04-16 23:23 . 2008-05-16 18:48 446464 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-16 23:23 . 2009-04-16 23:23 -------- d-----w C:\NVIDIA
2009-04-16 23:15 . 2009-04-16 23:20 -------- d-----w c:\documents and settings\Christian\Application Data\SystemRequirementsLab
2009-04-16 23:00 . 2009-04-16 23:00 -------- d-----w C:\rsit
2009-04-15 21:36 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:36 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:36 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:36 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 21:36 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 21:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:36 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 21:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 21:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 05:40 . 2009-04-12 05:40 -------- d-----w c:\documents and settings\Christian\Application Data\Moyea
2009-04-09 23:15 . 2009-04-14 03:34 138376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-09 23:15 . 2009-04-14 03:34 202448 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-09 23:15 . 2009-04-09 23:15 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-09 23:15 . 2009-04-09 23:15 -------- d-----w c:\windows\system32\LogFiles
2009-04-09 23:10 . 2009-04-09 23:11 -------- d-----w c:\documents and settings\Christian\Application Data\Xfire
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 06:49 . 2003-09-16 17:45 77312 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 01:47 . 2008-09-25 00:29 -------- d-----w c:\program files\Warcraft III
2009-04-17 04:17 . 2008-09-26 05:19 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-17 04:11 . 2009-01-18 05:51 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 04:10 . 2009-01-18 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 23:52 . 2009-04-16 23:52 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-16 23:52 . 2009-04-16 23:52 -------- d-----w c:\program files\DVDVideoSoft
2009-04-16 23:18 . 2009-04-16 23:15 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 00:42 . 2009-01-10 04:35 3631 ----a-w C:\rapport.txt
2009-04-14 03:42 . 2008-09-25 00:50 -------- d-----w c:\program files\Call of Duty Game of the Year Edition
2009-04-13 01:47 . 2008-09-25 01:25 -------- d-----w c:\program files\Steam
2009-04-12 06:11 . 2009-01-10 05:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 06:09 . 2008-09-24 23:13 -------- d-----w c:\program files\BITTORNADO STUFF
2009-04-09 23:10 . 2009-04-09 23:10 -------- d-s---w c:\program files\Xfire
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\program files\iTunes
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\program files\iPod
2009-04-09 22:54 . 2008-09-24 03:25 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 22:32 . 2009-01-10 05:16 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-01-10 05:16 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 01:43 . 2008-10-12 21:10 563 ----a-w C:\hpfr5550.xml
2009-03-31 01:43 . 2008-10-12 21:10 19181 ----a-w C:\hph7350.log
2009-03-21 08:41 . 2009-03-17 02:02 -------- d-----w c:\program files\Guild Wars
2009-03-20 05:29 . 2009-03-20 05:29 -------- d-----w c:\program files\Music Rescue
2009-03-20 03:18 . 2008-09-25 00:33 77856 ----a-w c:\windows\War3Unin.dat
2009-03-19 23:32 . 2008-09-24 03:27 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-12 04:41 . 2009-03-12 04:41 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 04:40 . 2009-03-12 04:40 -------- d-----w c:\program files\Bonjour
2009-03-12 04:39 . 2003-09-16 21:01 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2003-09-16 17:29 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 23:00 . 2009-03-01 23:00 -------- d-----w c:\documents and settings\Linda\Application Data\Template
2009-02-20 08:10 . 2006-06-23 18:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-09-16 17:29 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-09-16 17:29 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-09-16 17:29 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-09-16 17:29 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-09-16 17:29 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2002-08-29 01:04 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-09-16 17:29 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-09-16 17:29 56832 ----a-w c:\windows\system32\secur32.dll
2003-09-16 20:04 . 2008-10-24 17:53 136 ----a-w c:\documents and settings\Linda\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2008-09-27 01:41 136 ----a-w c:\documents and settings\That girl\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2008-09-22 01:24 136 ----a-w c:\documents and settings\Christian\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2003-09-16 20:04 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2003-09-16 17:45 . 2008-10-24 17:53 12328 ----a-w c:\documents and settings\Linda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-09-16 17:45 . 2008-09-27 01:41 12328 ----a-w c:\documents and settings\That girl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-09-16 17:45 . 2008-09-22 01:24 12328 ----a-w c:\documents and settings\Christian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_06.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 16:28 . 2009-04-19 16:28 16384 c:\windows\temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-03 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\cthelper.exe [2003-07-03 28672]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\mididef.exe [2003-07-03 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Internet Security.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Internet Security.lnk
backup=c:\windows\pss\Norton Internet Security.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Steam\\steamapps\\bubblleboi\\team fortress classic\\hl.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S0 SonyLSM;LED State Service;c:\windows\System32\Drivers\SonyLSM.sys [2003-07-24 4736]

.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-19 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2009-04-19 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2009-04-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-09-22 16:04]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: xfire_lsp_10650.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\qpo1c292.default\
FF - prefs.js: browser.startup.homepage - hxxp://wheycheap.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 09:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\xfire_lsp_10650.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehsched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\windows\eHome\ehrec.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-19 9:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 16:35
ComboFix2.txt 2009-04-19 06:19
ComboFix3.txt 2009-01-16 23:54

Pre-Run: 37,055,533,056 bytes free
Post-Run: 37,038,161,920 bytes free

216 --- E O F --- 2009-04-17 13:42

Edited by bubblleboi, 19 April 2009 - 12:48 PM.

[bubblleboi]

Here is combofix's log. By the way, i forgot to turn off the windows firewall on this combofix. So, i do not know if it has affected the results that are to be expected.

ComboFix 09-04-19.05 - Christian 04/19/2009 9:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.663 [GMT -7:00]
Running from: c:\documents and settings\Christian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christian\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthdjbiqmhlvvhopwxwrkwwpdsmhvknqlrv.sys

.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-17 13:42 . 2009-04-17 13:42 118 ----a-w c:\windows\system32\MRT.INI
2009-04-17 04:23 . 2009-04-17 04:23 -------- d-----w C:\_OTMoveIt
2009-04-16 23:34 . 2008-04-14 00:12 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-16 23:25 . 2009-04-16 23:25 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-04-16 23:23 . 2009-04-19 16:32 186097 ----a-w c:\windows\system32\nvapps.xml
2009-04-16 23:23 . 2008-05-16 21:01 446464 ----a-w c:\windows\system32\nvudisp.exe
2009-04-16 23:23 . 2008-05-16 21:01 18070 ----a-w c:\windows\system32\nvdisp.nvu
2009-04-16 23:23 . 2008-05-16 18:48 446464 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-16 23:23 . 2009-04-16 23:23 -------- d-----w C:\NVIDIA
2009-04-16 23:15 . 2009-04-16 23:20 -------- d-----w c:\documents and settings\Christian\Application Data\SystemRequirementsLab
2009-04-16 23:00 . 2009-04-16 23:00 -------- d-----w C:\rsit
2009-04-15 21:36 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:36 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:36 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:36 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 21:36 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 21:36 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:36 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:35 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 21:35 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 21:35 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 05:40 . 2009-04-12 05:40 -------- d-----w c:\documents and settings\Christian\Application Data\Moyea
2009-04-09 23:15 . 2009-04-14 03:34 138376 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-09 23:15 . 2009-04-14 03:34 202448 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-09 23:15 . 2009-04-09 23:15 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-09 23:15 . 2009-04-09 23:15 -------- d-----w c:\windows\system32\LogFiles
2009-04-09 23:10 . 2009-04-09 23:11 -------- d-----w c:\documents and settings\Christian\Application Data\Xfire
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 06:49 . 2003-09-16 17:45 77312 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 01:47 . 2008-09-25 00:29 -------- d-----w c:\program files\Warcraft III
2009-04-17 04:17 . 2008-09-26 05:19 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-17 04:11 . 2009-01-18 05:51 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 04:10 . 2009-01-18 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 23:52 . 2009-04-16 23:52 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-04-16 23:52 . 2009-04-16 23:52 -------- d-----w c:\program files\DVDVideoSoft
2009-04-16 23:18 . 2009-04-16 23:15 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 00:42 . 2009-01-10 04:35 3631 ----a-w C:\rapport.txt
2009-04-14 03:42 . 2008-09-25 00:50 -------- d-----w c:\program files\Call of Duty Game of the Year Edition
2009-04-13 01:47 . 2008-09-25 01:25 -------- d-----w c:\program files\Steam
2009-04-12 06:11 . 2009-01-10 05:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 06:09 . 2008-09-24 23:13 -------- d-----w c:\program files\BITTORNADO STUFF
2009-04-09 23:10 . 2009-04-09 23:10 -------- d-s---w c:\program files\Xfire
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\program files\iTunes
2009-04-09 22:54 . 2009-04-09 22:54 -------- d-----w c:\program files\iPod
2009-04-09 22:54 . 2008-09-24 03:25 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 22:32 . 2009-01-10 05:16 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-01-10 05:16 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 01:43 . 2008-10-12 21:10 563 ----a-w C:\hpfr5550.xml
2009-03-31 01:43 . 2008-10-12 21:10 19181 ----a-w C:\hph7350.log
2009-03-21 08:41 . 2009-03-17 02:02 -------- d-----w c:\program files\Guild Wars
2009-03-20 05:29 . 2009-03-20 05:29 -------- d-----w c:\program files\Music Rescue
2009-03-20 03:18 . 2008-09-25 00:33 77856 ----a-w c:\windows\War3Unin.dat
2009-03-19 23:32 . 2008-09-24 03:27 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-12 04:41 . 2009-03-12 04:41 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 04:40 . 2009-03-12 04:40 -------- d-----w c:\program files\Bonjour
2009-03-12 04:39 . 2003-09-16 21:01 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2003-09-16 17:29 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 23:00 . 2009-03-01 23:00 -------- d-----w c:\documents and settings\Linda\Application Data\Template
2009-02-20 08:10 . 2006-06-23 18:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-09-16 17:29 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-09-16 17:29 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-09-16 17:29 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-09-16 17:29 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-09-16 17:29 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2002-08-29 01:04 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-09-16 17:29 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-09-16 17:29 56832 ----a-w c:\windows\system32\secur32.dll
2003-09-16 20:04 . 2008-10-24 17:53 136 ----a-w c:\documents and settings\Linda\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2008-09-27 01:41 136 ----a-w c:\documents and settings\That girl\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2008-09-22 01:24 136 ----a-w c:\documents and settings\Christian\Local Settings\Application Data\fusioncache.dat
2003-09-16 20:04 . 2003-09-16 20:04 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2003-09-16 17:45 . 2008-10-24 17:53 12328 ----a-w c:\documents and settings\Linda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-09-16 17:45 . 2008-09-27 01:41 12328 ----a-w c:\documents and settings\That girl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2003-09-16 17:45 . 2008-09-22 01:24 12328 ----a-w c:\documents and settings\Christian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-19_06.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-19 16:28 . 2009-04-19 16:28 16384 c:\windows\temp\Perflib_Perfdata_6c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-03 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 335872]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\cthelper.exe [2003-07-03 28672]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\mididef.exe [2003-07-03 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Internet Security.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Norton Internet Security.lnk
backup=c:\windows\pss\Norton Internet Security.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Steam\\steamapps\\bubblleboi\\team fortress classic\\hl.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate; [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S0 SonyLSM;LED State Service;c:\windows\System32\Drivers\SonyLSM.sys [2003-07-24 4736]

.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-19 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2009-04-19 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2009-04-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-09-22 16:04]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: xfire_lsp_10650.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Christian\Application Data\Mozilla\Firefox\Profiles\qpo1c292.default\
FF - prefs.js: browser.startup.homepage - hxxp://wheycheap.com/
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 09:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\xfire_lsp_10650.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehsched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\windows\eHome\ehrec.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-19 9:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-19 16:35
ComboFix2.txt 2009-04-19 06:19
ComboFix3.txt 2009-01-16 23:54

Pre-Run: 37,055,533,056 bytes free
Post-Run: 37,038,161,920 bytes free

216 --- E O F --- 2009-04-17 13:42

Edited by bubblleboi, 19 April 2009 - 12:48 PM.

[bubblleboi]

Here is the logfile for hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:15, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 9155 bytes

[bubblleboi]

In addition, when i google search something and click on a link, for some reason, mozilla does not take me to the actual website, i'm directed to something like bullz eye or something. In other words, firefox isn't taking me to the actual site that i click on when i google search something. Is this a problem on my computer? or is it with firefox?

for example, i google searched selix (a formal wear company), and i clicked on the first link, and i was taken to this site:

http://www.travelsko...2F-4A6827C1BE2D
which has nothing to do with clothes.

Then i clicked the back arrow and was taken to the same site again.

Then i clicked the back arrow again and was finally taken to the selix formal wear website.

It's not just skoot that google takes me to, in general, it just directs me to websites other than the actual site, and i need to click back and reclick the same link and back and reclick the same link just to get to the actual link.

[bubblleboi]

also, when i tried to run firefox again after i closed the browser from my last reply, my computer said that firefox was already running and that i must first close the existing firefox or restart my system. however, there were no programs open at all. Does this mean that someone was using firefox through my computer?

An update on the malfunction of google, i searched this website in the google. And the search took me to ebay.

[fenzodahl512]

when i tried to run firefox again after i closed the browser from my last reply, my computer said that firefox was already running and that i must first close the existing firefox or restart my system

If you close all firefox window and suddenly open a new one very quickly, that's normal.. that's a firefox bug.. if you close all firefox windows and want to open a new one, just wait like 3-4 seconds..


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

[bubblleboi]

Here is the goored log:

GooredFix v1.92 by jpshortstuff
Log created at 20:13 on 19/04/2009 running Option #1 (Christian)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{DDFE6B20-49EA-410E-8BF2-DD59E24F5176}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


Is this to help fix this problem??

In addition, when i google search something and click on a link, for some reason, mozilla does not take me to the actual website, i'm directed to something like bullz eye or something. In other words, firefox isn't taking me to the actual site that i click on when i google search something. Is this a problem on my computer? or is it with firefox?

for example, i google searched selix (a formal wear company), and i clicked on the first link, and i was taken to this site:

http://www.travelsko...2F-4A6827C1BE2D
which has nothing to do with clothes.

Then i clicked the back arrow and was taken to the same site again.

Then i clicked the back arrow again and was finally taken to the selix formal wear website.

It's not just skoot that google takes me to, in general, it just directs me to websites other than the actual site, and i need to click back and reclick the same link and back and reclick the same link just to get to the actual link.

[fenzodahl512]

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


Reboot your computer.. Do you still get the re-directing problem?

[bubblleboi]

Make sure all instances of Firefox are closed at this point

k well, when u said that^ i closed firefox, cleared all private data (from the automatic clear option that i set in firefox)

then i ctrl + alt + del and made sure that the firefox process was not present. (i'm assuming that this form of firefox was still an instance of firefox)

then i ran goored and selected option 2. Here is the log that popped up:

GooredFix v1.92 by jpshortstuff
Log created at 07:26 on 20/04/2009 running Option #2 (Christian)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{DDFE6B20-49EA-410E-8BF2-DD59E24F5176}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

so far i have not had a problem with being redirected.

And is my malware/trojan/whatever is bad stuff for my comp problem fixed? like, no one is watching my keystrokes anymore?

Edited by bubblleboi, 20 April 2009 - 08:31 AM.

[fenzodahl512]

Looks good.. How's the computer now?.. Still getting the redirected issues?.. Lets do an online scan to make sure we didn't miss any..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan
  Wait for the scan to finish
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[bubblleboi]

It said it found 5 threats!

Here is the logfile from Eset:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4023 (20090420)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5d47e78897d91946a417b3172a66b292
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-20 11:43:01
# local_time=2009-04-20 04:43:01 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=319022
# found=5
# scan_time=2566
C:\Documents and Settings\Christian\Desktop\ArmyMenRTS-dm.exe Win32/Adware.Trymedia application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthiexmpffjptagjmhbowaoccrvoefspoii.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkueqbinrowxqagaxtvjexgesdkgkewxp.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthuvensqirevdklpwlxylldwveyrjxdvxu.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthdjbiqmhlvvhopwxwrkwwpdsmhvknqlrv.sys.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000

[fenzodahl512]

Don't worry about them.. Its all taken care of..


Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.

• Make sure you have internet connection..
• Double-click OTCleanIt.exe
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop...safesurfing.asp
http://bluefive.pair...afe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread



Have a safe and happy computing day!


Regards
fenzodahl512

[bubblleboi]

Everything seems great! Thank you very much fenzodahl512