Virus problem

This is a discussion on Virus problem within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, Two days ago I accidentally clicked on an ad banner while browsing, which instantly caused several pop ups and


 
 
Thread Tools Search this Thread
Old 12-15-2009, 03:14 PM   #1
Registered Member
 
Join Date: Jul 2008
Posts: 11
OS: Win XP



Hi,

Two days ago I accidentally clicked on an ad banner while browsing, which instantly caused several pop ups and my computer to crash. Since restarting, my system has been experiencing significant slowdown and frequent lockups. Also, I'm occasionally redirected to junk sites when clicking on search links provided by Google.

I've scanned with AVG, Spybot SD, and Malwarebytes to no avail. I've successfully run DDS and GMER as described in the instructions thread, but I had to run GMER in safe mode as it would crash during the scan in normal mode.

I'm currently running Windows XP Home SP2.

Any help is appreciated, thanks.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Kevin Jones at 9:58:33.73 on Tue 12/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1254 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Kevin Jones\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Kevin Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1080102
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
uRun: [Octoshape Streaming Services] "c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: teamliquid.net\www
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {AAFB2DF8-F7A6-443E-B8A3-CB24BCA42E7A} = 207.69.188.186,207.69.188.187
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 67.228.171.232 teamliquid.net
Hosts: 67.228.171.232 www.teamliquid.net

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevinj~1\applic~1\mozilla\firefox\profiles\6tvf6qld.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\kevin jones\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0808270_sua_900\npoctoshape.dll
FF - plugin: c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0905250_sua_000\npoctoshape.dll
FF - plugin: c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0907083_sua_000\npoctoshape.dll
FF - plugin: c:\documents and settings\kevin jones\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0907280_sua_000\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-26 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-6 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-3 24652]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\NPF.sys [?]

=============== Created Last 30 ================

2009-12-15 13:41:11 0 d-----w- c:\program files\CCleaner
2009-12-14 23:45:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-14 23:45:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-14 03:45:48 23 ----a-w- c:\windows\BlendSettings.ini
2009-12-12 18:07:26 0 d-----w- c:\program files\Bethesda Softworks
2009-12-12 01:03:27 0 d-----w- c:\program files\SystemRequirementsLab
2009-12-04 22:24:31 0 ---ha-w- c:\windows\SwSys2.bmp
2009-12-04 22:24:31 0 ---ha-w- c:\windows\SwSys1.bmp
2009-12-04 22:24:25 0 d-----w- c:\program files\AMB Software
2009-11-20 23:58:54 0 d-----w- c:\program files\Kerigwa
2009-11-20 23:58:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Viper

==================== Find3M ====================

2009-12-09 20:38:10 4322 ----a-w- c:\docume~1\kevinj~1\applic~1\wklnhst.dat
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll

============= FINISH: 9:59:41.87 ===============
Attached Files
File Type: zip Attach.zip (7.7 KB, 13 views)

__________________
Anonymity is offline  
Old 12-16-2009, 06:07 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,498
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click Advanced mode if not already selected.
  • Choose Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click Resident.
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • If TeaTimer gives you a warning that changes were made, click the Allow Change box when prompted.
  • In the File menu click Exit to exit Spybot Search & Destroy.
------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Download ComboFix from here and save it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

------------------------------------------------------
  • Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  • Get help here
  • Double-click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-16-2009, 09:34 PM   #3
Registered Member
 
Join Date: Jul 2008
Posts: 11
OS: Win XP



Thanks for your help. The scan ran successfully. Here is the log:

ComboFix 09-12-16.05 - Kevin Jones 12/16/2009 23:09:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1581 [GMT -5:00]
Running from: c:\documents and settings\Kevin Jones\Desktop\KittyFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\SIntf16.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 03:29 . 2009-12-17 03:29 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-17 03:28 . 2009-12-17 03:28 -------- d-----w- c:\program files\Bonjour
2009-12-15 14:19 . 2009-12-17 03:27 -------- d--h--w- c:\documents and settings\Kevin Jones\Recent(2)
2009-12-15 13:31 . 2009-12-16 20:42 0 ----a-w- c:\documents and settings\Kevin Jones\Local Settings\Application Data\prvlcl.dat
2009-12-14 23:45 . 2009-12-17 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-14 23:45 . 2009-12-17 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-14 21:43 . 2009-12-14 21:43 -------- d-----w- c:\documents and settings\HelpAssistant\Worms Armageddon
2009-12-14 21:43 . 2009-12-14 21:43 -------- d-----w- c:\documents and settings\HelpAssistant\workspace
2009-12-14 21:42 . 2009-12-14 21:42 -------- d-----w- c:\documents and settings\HelpAssistant\PCSX2-0.9.4
2009-12-14 21:42 . 2009-12-14 21:42 -------- d-----w- c:\documents and settings\HelpAssistant\Oracle Jar Cache
2009-12-14 17:24 . 2009-12-17 00:07 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans-registration
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans-derby
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.nbprofiler
2009-12-14 17:24 . 2009-12-17 00:07 -------- d-----w- c:\documents and settings\HelpAssistant\.nbi
2009-12-14 17:23 . 2009-12-17 03:26 -------- d-s---w- c:\documents and settings\HelpAssistant
2009-12-12 18:07 . 2009-12-12 18:07 -------- d-----w- c:\program files\Bethesda Softworks
2009-12-12 18:06 . 2009-12-12 18:14 -------- d-----w- c:\documents and settings\Kevin Jones\Local Settings\Application Data\Oblivion
2009-12-12 01:03 . 2009-12-12 01:03 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-04 22:24 . 2009-12-04 22:24 -------- d-----w- c:\program files\AMB Software
2009-11-20 23:58 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viper
2009-11-20 23:58 . 2009-11-20 23:58 -------- d-----w- c:\program files\Kerigwa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 03:28 . 2008-12-28 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 03:27 . 2008-01-02 15:58 -------- d-----w- c:\program files\Dell
2009-12-16 21:08 . 2009-12-16 21:08 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 18:18 . 2008-06-19 22:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-16 17:07 . 2008-01-02 15:45 -------- d-----w- c:\program files\Java
2009-12-15 13:40 . 2008-01-22 04:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-15 00:28 . 2008-12-28 18:11 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\HPAppData
2009-12-13 14:24 . 2009-12-16 22:57 759064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-12-13 14:24 . 2009-12-16 22:57 1478936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-12-13 14:24 . 2009-12-16 22:57 1143064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-12-12 18:07 . 2008-01-02 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-12-12 01:03 . 2009-10-07 16:28 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab
2009-12-09 20:38 . 2008-03-20 17:56 4322 ----a-w- c:\documents and settings\Kevin Jones\Application Data\wklnhst.dat
2009-12-05 23:22 . 2008-12-31 21:10 -------- d-----w- c:\program files\Worms Armageddon
2009-12-05 06:59 . 2009-01-09 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-05 06:58 . 2008-01-02 16:00 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 21:14 . 2008-12-28 19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-12-28 19:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 00:24 . 2009-11-12 00:15 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\PLT Scheme
2009-11-18 19:42 . 2009-11-12 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2009-11-18 19:42 . 2009-11-12 04:54 -------- d-----w- c:\program files\PPLiveVA
2009-11-17 01:14 . 2008-01-03 22:09 -------- d-----w- c:\program files\Steam
2009-11-12 04:54 . 2009-11-12 04:54 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\PPLiveVA
2009-11-12 00:15 . 2009-11-12 00:13 -------- d-----w- c:\program files\PLT
2009-11-04 17:27 . 2009-11-04 16:28 -------- d-----w- c:\program files\Igneous
2009-11-04 02:59 . 2009-11-04 02:46 -------- d-----w- c:\program files\osu!
2009-10-29 12:53 . 2009-10-28 00:50 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\Winamp
2009-10-29 07:46 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-29 01:16 . 2008-01-26 06:02 -------- d-----w- c:\program files\DivX
2009-10-29 01:16 . 2009-10-29 01:16 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-28 18:18 . 2008-01-16 04:07 -------- d-----w- c:\program files\Starcraft
2009-10-28 00:50 . 2009-07-28 15:30 -------- d-----w- c:\program files\Winamp
2009-10-26 14:30 . 2009-10-26 14:30 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-24 22:07 . 2008-01-16 22:55 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\Apple Computer
2009-10-21 18:32 . 2009-10-21 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-21 18:32 . 2009-10-21 18:31 -------- d-----w- c:\program files\iTunes
2009-10-21 18:31 . 2009-10-21 18:31 -------- d-----w- c:\program files\iPod
2009-10-21 18:31 . 2008-01-16 22:53 -------- d-----w- c:\program files\Common Files\Apple
2009-10-21 18:31 . 2009-10-21 18:30 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:27 . 2009-10-21 18:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-21 06:00 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 17:51 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 17:51 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 17:51 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\Kevin Jones\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2008-05-22 156944]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 18:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 16:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-09-25 14:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 12:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 02:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 14:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 16:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
2008-04-11 21:17 374272 ----a-w- c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-01-09 20:25 16859648 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
2008-11-06 05:58 964661 ----a-w- c:\sdfix\RunThis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-24 15:56 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-27 08:26 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\day of defeat source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Desktop\\Neverwinter Nights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Diablo\\Diablo.exe"=
"c:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microprose\\Risk II\\RiskII.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\MicroProse\\Worms2\\frontend.exe"=
"c:\\Program Files\\Worms Armageddon\\WA.exe"=
"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\jre\\bin\\java.exe"=
"c:\\Program Files\\Pocket Tanks\\pockettanks.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\source sdk base\\hl2.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Desktop\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"7662:TCP"= 7662:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/6/2008 12:11 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/6/2008 12:11 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/30/2008 9:48 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 10:04 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/3/2008 5:13 PM 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/28/2008 2:20 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2008 4:38 PM 716272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
Trusted Zone: teamliquid.net\www
TCP: {AAFB2DF8-F7A6-443E-B8A3-CB24BCA42E7A} = 207.69.188.186,207.69.188.187
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Kevin Jones\Application Data\Mozilla\Firefox\Profiles\6tvf6qld.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Kevin Jones\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Kevin Jones\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0907280_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PPAP - c:\documents and settings\All Users\Application Data\PPLiveVA\Application\PPAP.exe
HKLM-Run-vinclock - c:\documents and settings\Kevin Jones\Application Data\Google\ocboo1892823.exe
MSConfigStartUp-AdVantage - c:\program files\AdVantage\AdVantage.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-MSFox - c:\docume~1\KEVINJ~1\LOCALS~1\Temp\xxx9010.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
AddRemove-AdVantage_DAEM - c:\program files\AdVantage\AdVUninst.exe
AddRemove-Pcsx2_is1 - c:\documents and settings\Kevin Jones\Desktop\Emulators\Pcsx2_0.9.4\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-16 23:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3010388805-2687894967-1571399471-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5E6FC96-84E5-EDD8-B674-40A049AF32E5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-16 23:24:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-17 04:24

Pre-Run: 137,393,168,384 bytes free
Post-Run: 137,489,092,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 023226C8B4D1467AEE09B47B7CD934CC
__________________
Anonymity is offline  
Old 12-17-2009, 06:17 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,498
OS: XP SP3; Win7 32/64-bit



Hello Anonymity. Please tell us how your system is behaving. Have the redirects stopped?

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have P2P software ( LimeWire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
Folder::
c:\sdfix

DDS::
uInternet Connection Wizard,ShellNext = iexplore

RegNull::
[HKEY_USERS\S-1-5-21-3010388805-2687894967-1571399471-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5E6FC96-84E5-EDD8-B674-40A049AF32E5}*]

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]

SkipFix::
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 6 Update 15, by going to Control Panel (Classic View) and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-17-2009, 02:46 PM   #5
Registered Member
 
Join Date: Jul 2008
Posts: 11
OS: Win XP



Hi,

My system seems to be acting normally again, thanks. Here are the requested logs:

ComboFix:

ComboFix 09-12-16.05 - Kevin Jones 12/17/2009 10:57:45.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1492 [GMT -5:00]
Running from: c:\documents and settings\Kevin Jones\Desktop\KittyFix.exe
Command switches used :: c:\documents and settings\Kevin Jones\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\sdfix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\AdminCheck2.txt
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\CSweg.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\attrib.exe
c:\sdfix\backupreg\AppInit_DLLs.reg
c:\sdfix\backupreg\bat_shell_open.reg
c:\sdfix\backupreg\BHO.reg
c:\sdfix\backupreg\com_shell_open.reg
c:\sdfix\backupreg\ControlPanel_Load.reg
c:\sdfix\backupreg\Drivers32.reg
c:\sdfix\backupreg\exe_shell_open.reg
c:\sdfix\backupreg\HKCU_SOFTWARE_Policy.reg
c:\sdfix\backupreg\HKCU_WINDOWS_Policy.reg
c:\sdfix\backupreg\HKCURun.reg
c:\sdfix\backupreg\HKCURunServices.reg
c:\sdfix\backupreg\HKLM_SOFTWARE_Policy.reg
c:\sdfix\backupreg\HKLM_WINDOWS_Policy.reg
c:\sdfix\backupreg\HKLMRun.reg
c:\sdfix\backupreg\HKLMRunServices.reg
c:\sdfix\backupreg\IEDesktop.reg
c:\sdfix\backupreg\IEMain.reg
c:\sdfix\backupreg\Installed_Components.reg
c:\sdfix\backupreg\pif_shell_open.reg
c:\sdfix\backupreg\reg_shell_open.reg
c:\sdfix\backupreg\SecurityProviders.reg
c:\sdfix\backupreg\SharedTaskScheduler.reg
c:\sdfix\backupreg\ShellServiceObjectDelayLoad.reg
c:\sdfix\backupreg\SubSystems.reg
c:\sdfix\backupreg\txt_shell_open.reg
c:\sdfix\backupreg\Winlogon.reg
c:\sdfix\backupreg\WinlogonNotify.reg
c:\sdfix\backups_old\mpncbmxjvm.exe
c:\sdfix\backups_old\RepairIconAds.reg
c:\sdfix\beepFA0.TXT
c:\sdfix\beepFA1.TXT
c:\sdfix\beepFA2.TXT
c:\sdfix\beepFA3.TXT
c:\sdfix\beepFA4.TXT
c:\sdfix\beepxcodec0.TXT
c:\sdfix\beepxcodec1.TXT
c:\sdfix\beepxcodec2.TXT
c:\sdfix\beepxcodec3.TXT
c:\sdfix\beepxcodec4.TXT
c:\sdfix\bpTEST1.TXT
c:\sdfix\bpTEST3.TXT
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\delavi0.txt
c:\sdfix\delzip0.txt
c:\sdfix\dest.txt
c:\sdfix\dnif.exe
c:\sdfix\dummy.exe
c:\sdfix\dummy.sys
c:\sdfix\editreg.exe
c:\sdfix\FilekillList1.txt
c:\sdfix\FileList1.txt
c:\sdfix\Find.txt
c:\sdfix\Findav2009.txt
c:\sdfix\Findav2009a.txt
c:\sdfix\Findbhos1.txt
c:\sdfix\FindIRCBrute.txt
c:\sdfix\Findroguerun1.txt
c:\sdfix\Findrun002.txt
c:\sdfix\Findrun002a.txt
c:\sdfix\Findrun30.txt
c:\sdfix\Findrun31.txt
c:\sdfix\Findrun31a.txt
c:\sdfix\Findrun31b.txt
c:\sdfix\Findrun32.txt
c:\sdfix\Findrunbifrose1.txt
c:\sdfix\Findrunbot1.txt
c:\sdfix\FindrunDW_Start.txt
c:\sdfix\Findzip.txt
c:\sdfix\HOSTS
c:\sdfix\Patched2a.txt
c:\sdfix\Patched2b.txt
c:\sdfix\Patched2c.txt
c:\sdfix\RemLat.txt
c:\sdfix\Remlat1.txt
c:\sdfix\Remlat2.txt
c:\sdfix\Remlat3.txt
c:\sdfix\Remlat4.txt
c:\sdfix\Report.txt
c:\sdfix\Report_old_1.txt
c:\sdfix\rtsdnif.exe
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\TESTspreadbot1.TXT
c:\sdfix\userinfix.reg
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 15:46 . 2009-11-26 14:43 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-17 15:46 . 2009-11-26 14:43 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-17 15:46 . 2009-11-26 14:43 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-17 03:29 . 2009-12-17 03:29 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-17 03:28 . 2009-12-17 03:28 -------- d-----w- c:\program files\Bonjour
2009-12-15 13:31 . 2009-12-16 20:42 0 ----a-w- c:\documents and settings\Kevin Jones\Local Settings\Application Data\prvlcl.dat
2009-12-14 23:45 . 2009-12-17 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-14 23:45 . 2009-12-17 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-14 21:43 . 2009-12-14 21:43 -------- d-----w- c:\documents and settings\HelpAssistant\Worms Armageddon
2009-12-14 21:43 . 2009-12-14 21:43 -------- d-----w- c:\documents and settings\HelpAssistant\workspace
2009-12-14 21:42 . 2009-12-14 21:42 -------- d-----w- c:\documents and settings\HelpAssistant\PCSX2-0.9.4
2009-12-14 21:42 . 2009-12-14 21:42 -------- d-----w- c:\documents and settings\HelpAssistant\Oracle Jar Cache
2009-12-14 17:24 . 2009-12-17 00:07 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans-registration
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans-derby
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.netbeans
2009-12-14 17:24 . 2009-12-14 17:24 -------- d-----w- c:\documents and settings\HelpAssistant\.nbprofiler
2009-12-14 17:24 . 2009-12-17 00:07 -------- d-----w- c:\documents and settings\HelpAssistant\.nbi
2009-12-14 17:23 . 2009-12-17 03:26 -------- d-s---w- c:\documents and settings\HelpAssistant
2009-12-12 18:07 . 2009-12-12 18:07 -------- d-----w- c:\program files\Bethesda Softworks
2009-12-12 18:06 . 2009-12-12 18:14 -------- d-----w- c:\documents and settings\Kevin Jones\Local Settings\Application Data\Oblivion
2009-12-12 01:03 . 2009-12-12 01:03 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-12-12 01:03 . 2009-12-12 01:03 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-12-04 22:24 . 2009-12-04 22:24 -------- d-----w- c:\program files\AMB Software
2009-11-20 23:58 . 2009-11-21 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Viper
2009-11-20 23:58 . 2009-11-20 23:58 -------- d-----w- c:\program files\Kerigwa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 03:28 . 2008-12-28 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-17 03:27 . 2009-12-17 03:27 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\DAEMON Tools
2009-12-17 03:27 . 2008-01-02 15:58 -------- d-----w- c:\program files\Dell
2009-12-16 22:57 . 2009-12-16 22:57 1478936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-12-16 22:57 . 2009-12-16 22:57 1143064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-12-16 22:57 . 2009-12-16 22:57 759064 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-12-16 21:08 . 2009-12-16 21:08 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 18:18 . 2008-06-19 22:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-16 17:07 . 2008-01-02 15:45 -------- d-----w- c:\program files\Java
2009-12-15 13:40 . 2008-01-22 04:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-15 00:28 . 2008-12-28 18:11 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\HPAppData
2009-12-12 18:07 . 2008-01-02 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-12 01:03 . 2009-10-07 16:28 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab
2009-12-09 20:38 . 2008-03-20 17:56 4322 ----a-w- c:\documents and settings\Kevin Jones\Application Data\wklnhst.dat
2009-12-05 23:22 . 2008-12-31 21:10 -------- d-----w- c:\program files\Worms Armageddon
2009-12-05 06:59 . 2009-01-09 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-05 06:58 . 2008-01-02 16:00 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 21:14 . 2008-12-28 19:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-12-28 19:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 00:24 . 2009-11-12 00:15 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\PLT Scheme
2009-11-18 19:42 . 2009-11-12 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2009-11-18 19:42 . 2009-11-12 04:54 -------- d-----w- c:\program files\PPLiveVA
2009-11-17 01:14 . 2008-01-03 22:09 -------- d-----w- c:\program files\Steam
2009-11-12 04:54 . 2009-11-12 04:54 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\PPLiveVA
2009-11-12 00:15 . 2009-11-12 00:13 -------- d-----w- c:\program files\PLT
2009-11-04 17:27 . 2009-11-04 16:28 -------- d-----w- c:\program files\Igneous
2009-11-04 02:59 . 2009-11-04 02:46 -------- d-----w- c:\program files\osu!
2009-10-29 12:53 . 2009-10-28 00:50 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\Winamp
2009-10-29 07:46 . 2004-08-10 17:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-29 01:16 . 2008-01-26 06:02 -------- d-----w- c:\program files\DivX
2009-10-29 01:16 . 2009-10-29 01:16 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-28 18:18 . 2008-01-16 04:07 -------- d-----w- c:\program files\Starcraft
2009-10-28 00:50 . 2009-07-28 15:30 -------- d-----w- c:\program files\Winamp
2009-10-26 14:30 . 2009-10-26 14:30 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-24 22:07 . 2008-01-16 22:55 -------- d-----w- c:\documents and settings\Kevin Jones\Application Data\Apple Computer
2009-10-21 18:32 . 2009-10-21 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-21 18:32 . 2009-10-21 18:31 -------- d-----w- c:\program files\iTunes
2009-10-21 18:31 . 2009-10-21 18:31 -------- d-----w- c:\program files\iPod
2009-10-21 18:31 . 2008-01-16 22:53 -------- d-----w- c:\program files\Common Files\Apple
2009-10-21 18:31 . 2009-10-21 18:30 -------- d-----w- c:\program files\QuickTime
2009-10-21 18:27 . 2009-10-21 18:27 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-21 06:00 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 04:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 17:51 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 17:51 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 17:51 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-07 16:28 . 2009-10-07 16:28 138240 ----a-w- c:\documents and settings\Kevin Jones\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-17_04.18.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-17 15:43 . 2009-12-17 15:43 16384 c:\windows\Temp\Perflib_Perfdata_324.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\Kevin Jones\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2008-05-22 156944]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-17 2043160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 18:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Jones^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Kevin Jones\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 16:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-09-25 14:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 12:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 02:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 14:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 16:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
2008-04-11 21:17 374272 ----a-w- c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-01-09 20:25 16859648 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-24 15:56 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-27 08:26 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\day of defeat source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Desktop\\Neverwinter Nights\\NWN\\nwmain.exe"=
"c:\\Program Files\\Diablo\\Diablo.exe"=
"c:\\Program Files\\DAUM\\PotPlayer\\daumvsvr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Microprose\\Risk II\\RiskII.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\MicroProse\\Worms2\\frontend.exe"=
"c:\\Program Files\\Worms Armageddon\\WA.exe"=
"c:\\Program Files\\DAUM\\PotPlayer\\PotPlayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\jre\\bin\\java.exe"=
"c:\\Program Files\\Pocket Tanks\\pockettanks.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Steam\\steamapps\\thechaosentity\\source sdk base\\hl2.exe"=
"c:\\Documents and Settings\\Kevin Jones\\Desktop\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"7662:TCP"= 7662:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/6/2008 12:11 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/6/2008 12:11 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/30/2008 9:48 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 10:04 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/3/2008 5:13 PM 24652]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/28/2008 2:20 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2008 4:38 PM 716272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: teamliquid.net\www
TCP: {AAFB2DF8-F7A6-443E-B8A3-CB24BCA42E7A} = 207.69.188.186,207.69.188.187
DPF: {1DABF8D5-8430-4985-9B7F-A30E53D709B3} - hxxp://cache.tv.qq.com/qqlive_ocx/QQLiveInstaller.cab
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://download.tvants.com/pub/tvants/tvants1/win32/cab/tvants.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Kevin Jones\Application Data\Mozilla\Firefox\Profiles\6tvf6qld.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Kevin Jones\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Kevin Jones\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0907280_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-17 11:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-17 11:03:47
ComboFix-quarantined-files.txt 2009-12-17 16:03
ComboFix2.txt 2009-12-17 04:24

Pre-Run: 137,447,714,816 bytes free
Post-Run: 137,404,579,840 bytes free

- - End Of File - - D6F94FFB9FAE17E94960301C480AACD5

Kapersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 17, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 17, 2009 15:57:24
Records in database: 3382319
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
L:\

Scan statistics:
Objects scanned: 217426
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 03:27:54


File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\20\18ae5e94-4ab37335 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-55ae4ee7 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\44\3efada6c-4b99dee7 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\49\44da1d31-4115d822 Infected: Trojan-Downloader.Java.Agent.af 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-1728b96b.zip Infected: Exploit.Java.Gimsh.a 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

Selected area has been scanned.
__________________
Anonymity is offline  
Old 12-17-2009, 04:09 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,498
OS: XP SP3; Win7 32/64-bit



Hello again, Anonymity. The mIRC find should be OK if you installed it.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\20\18ae5e94-4ab37335"
"C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-55ae4ee7"
"C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\44\3efada6c-4b99dee7"
"C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\49\44da1d31-4115d822"
"C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-1728b96b.zip"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-17-2009, 08:06 PM   #7
Registered Member
 
Join Date: Jul 2008
Posts: 11
OS: Win XP



Hi,

The program echoed "Deleted successfully!" after running.
__________________
Anonymity is offline  
Old 12-17-2009, 08:26 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,498
OS: XP SP3; Win7 32/64-bit



Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

Please re-enable TeaTimer:
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Check the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-17-2009, 08:41 PM   #9
Registered Member
 
Join Date: Jul 2008
Posts: 11
OS: Win XP



Thanks again for all your help and advice; everything is back in order.
__________________
Anonymity is offline  
Old 12-18-2009, 05:56 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,498
OS: XP SP3; Win7 32/64-bit



You're very welcome, Anonymity! Glad to have helped.

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:26 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts