downadup and some other things...

knickers · Jul 26, 2010

I followed the "first steps" thread, but I couldn't use gmer.exe, because my PC restarted every time I tried to scan. I don't know why.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kiffi at 16:57:52,95 on Mon 26.07.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.767.446 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\Explorer.EXE
D:\programs\Firefox\firefox.exe
C:\Documents and Settings\Kiffi\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {B2C88365-DBD0-4772-8602-5ABB6ACB015B} = 193.189.160.13 193.189.160.23
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Kiffi\applic~1\mozilla\firefox\profiles\igf412zi.test\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=sl
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\Kiffi\application data\mozilla\firefox\profiles\igf412zi.test\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\programs\quicktime\plugins\npqtplugin7.dll
FF - plugin: d:\programs\vlc\npvlc.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\programs\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\programs\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\programs\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\programs\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\programs\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\programs\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\programs\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\programs\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\programs\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\programs\firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\programs\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\programs\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\programs\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\programs\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\programs\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\programs\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\programs\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\programs\firefox\greprefs\all.js - pref("html5.enable", false);
d:\programs\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\programs\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\programs\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\programs\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\programs\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\programs\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\programs\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\programs\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\programs\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\programs\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\programs\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\programs\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\programs\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\programs\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\programs\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\programs\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\programs\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\programs\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\programs\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\programs\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-1-31 12672]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
S2 aqbfja;Windows Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 axzsekqk;Config Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ghyiapj;Manager Update;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 uyavytl;Microsoft Shell;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 xcosa;Universal Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-07-21 14:56:34 0 d-----w- c:\program files\LogMeIn Hamachi
2010-07-21 06:54:57 0 d-----w- c:\program files\Ventrilo
2010-07-21 06:54:43 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-07-21 06:54:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-15 08:38:27 30280 ----a-w- c:\windows\DIIUnin.dat
2010-07-15 08:38:25 94208 ----a-w- c:\windows\DIIUnin.exe
2010-07-15 08:38:25 2829 ----a-w- c:\windows\DIIUnin.pif

==================== Find3M ====================

2010-06-23 21:51:41 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 16:56:37 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-22 16:56:22 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-22 13:43:17 139152 -c--a-w- c:\docume~1\Kiffi\applic~1\PnkBstrK.sys
2010-06-22 13:42:56 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2010-06-22 13:30:26 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-22 12:03:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-13 23:59:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-13 23:59:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2001-11-23 07:38:20 712704 -c--a-w- c:\windows\inf\other\AUDIO3D.DLL
2007-12-31 10:03:31 155633 --sha-r- c:\windows\system32\jyedq.dll
2008-01-15 17:03:55 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008011520080116\index.dat

============= FINISH: 16:59:27,59 ===============

Alright, anyway, my problem is that there is probably -pardon my french- a ******** of spyware/malware/whateverware on this computer.

I mean, I really wouldn't mind, but it's an invasion of privacy, so... yeah.

Usually I can't access microsoft.com, kaspersky.com, avast.com, anything related to anti-virus, I have no access to.

So, I got this "downadup removal tool" by those bitdefender guys... and it finds downadup on my PC, removes it, I reboot and voila, I can access those sites again.

However, when I reboot again, I can't access. So, this downadup thing keeps popping up on my computer, and I need to know how I can remove it forever, and also, since this thing has no problems roaming free through my PC, I probably have other worms, viruses, spyware, etc., on it too.

The obvious thing is to have antivirus on the PC, right? Yes! Great idea!
BUT, I need an antivirus that doesn't hog 60% of the resources ALL the time, doesn't increase boot time tenfold, and doesn't annoy me with update pop-ups every 3 seconds.

When I use Photoshop, CS2 mind you, this computer barely moves. It's old.

So, I need a free antivirus that doesn't rape my face with 24/7 PROTECTION FIREWALL ICEWALL WONDERWALL ANTIVIRUS ANTIWORM ANTIFREEZE, CONSTANT UPDATE. Aside from all the half-assed uninstallations of programs scattered throughout the hard drive, all those things just cripple my PC, and slow it down more than any virus ever could.

I really don't need that. I just want to update when I choose to, and scan a few times per month.

Any advice is appreciated.

oh btw, how could I forget this...

Sometimes, random sites open in firefox, I obviously did not open them, so, I don't know what that is.

sjpritch25 · Jul 27, 2010

Welcome to TSF

You certainly have an infection present

S2 aqbfja;Windows Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 axzsekqk;Config Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 ghyiapj;Manager Update;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 uyavytl;Microsoft Shell;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 xcosa;Universal Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" .

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

knickers · Jul 27, 2010

Uhh, I don't know what that "AV: ESET NOD32 Antivirus 3.0" line is doing there, because I uninstalled it quite a while ago. I know NOD32 doesn't uninstall completely, I even used a "nod remover" program, but it looks like a part of it is still on the computer.

Here it is:

ComboFix 10-07-24.06 - Kiffi 27.07.2010 12:25:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.767.541 [GMT 2:00]
Running from: c:\documents and settings\Kiffi\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\General Antivirus
c:\documents and settings\All Users\Start Menu\Programs\General Antivirus\General Antivirus Home Page.lnk
c:\documents and settings\All Users\Start Menu\Programs\General Antivirus\General Antivirus.lnk
c:\documents and settings\All Users\Start Menu\Programs\General Antivirus\Purchase License.lnk
c:\documents and settings\All Users\Start Menu\Programs\General Antivirus\Uninstall General Antivirus.lnk
c:\documents and settings\Kiffi\Application Data\General Antivirus
c:\documents and settings\Kiffi\Application Data\General Antivirus\db\config.cfg
c:\documents and settings\Kiffi\Application Data\General Antivirus\db\pb.dll
c:\documents and settings\Kiffi\Application Data\General Antivirus\db\Timeout.inf
c:\documents and settings\Kiffi\Application Data\General Antivirus\db\Urls.inf
c:\documents and settings\Kiffi\Application Data\Microsoft\Windows\winlogon.exe

Infected copy of c:\windows\system32\drivers\IdeChnDr.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-27 07:45 . 2010-07-27 07:46 5075 ----a-r- c:\windows\system32\jyedq.dll
2010-07-21 15:04 . 2010-07-27 10:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 16:02 -------- d-----w- c:\documents and settings\Kiffi\Local Settings\Application Data\LogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 15:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BACKUPLogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 14:56 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-07-21 06:54 . 2010-07-21 06:55 -------- d-----w- c:\program files\Ventrilo
2010-07-21 06:54 . 2010-07-21 06:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-15 08:38 . 2010-07-15 10:37 30280 ----a-w- c:\windows\DIIUnin.dat
2010-07-15 08:38 . 2010-07-15 08:38 94208 ----a-w- c:\windows\DIIUnin.exe
2010-07-15 08:38 . 2010-07-15 08:38 2829 ----a-w- c:\windows\DIIUnin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 14:32 . 2008-04-07 16:10 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-07-24 21:28 . 2008-08-06 13:18 -------- d-----w- c:\documents and settings\Kiffi\Application Data\WinAmp
2010-07-24 13:30 . 2008-08-23 15:28 -------- d-----w- c:\documents and settings\Kiffi\Application Data\LimeWire
2010-07-21 14:56 . 2008-10-25 21:09 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Hamachibackup
2010-07-15 07:24 . 2008-09-16 09:21 -------- d-----w- c:\documents and settings\Kiffi\Application Data\uTorrent
2010-06-25 09:46 . 2010-06-25 09:46 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Auslogics
2010-06-24 17:36 . 2010-06-24 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-24 17:35 . 2010-06-24 17:35 -------- d-----w- c:\program files\NOS
2010-06-23 21:51 . 2009-04-07 13:45 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-23 13:16 . 2010-06-23 13:16 9158 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\program files\USB TV
2010-06-23 13:15 . 2008-01-16 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\documents and settings\Kiffi\Application Data\InstallShield
2010-06-23 13:03 . 2010-06-23 13:03 -------- d-----w- c:\program files\ATI Technologies
2010-06-23 12:18 . 2008-08-22 15:33 -------- d-----w- c:\documents and settings\Kiffi\Application Data\mIRC
2010-06-22 16:56 . 2008-10-10 19:34 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-22 16:56 . 2008-10-10 19:33 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-22 13:43 . 2009-01-17 02:06 139152 -c--a-w- c:\documents and settings\Kiffi\Application Data\PnkBstrK.sys
2010-06-22 13:43 . 2009-01-17 02:06 139152 -c--a-w- c:\documents and settings\Kiffi\Application Data\PnkBstrK.sys
2010-06-22 13:42 . 2009-01-17 02:06 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2010-06-22 13:30 . 2010-06-09 19:39 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-22 12:03 . 2008-10-10 19:33 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-13 23:59 . 2010-06-13 23:59 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-13 23:59 . 2010-06-13 23:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-06-13 17:35 . 2008-04-09 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-13 17:32 . 2010-04-17 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-13 14:36 . 2010-06-13 14:36 -------- d-----w- c:\program files\Common Files\PCSuite
2010-06-13 14:36 . 2010-06-12 21:07 -------- d-----w- c:\program files\Common Files\Nokia
2010-06-13 14:29 . 2010-06-13 14:29 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\pcswpcsi.exe
2010-06-13 14:29 . 2010-06-13 14:29 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstCCD.exe
2010-06-13 14:29 . 2010-06-13 14:29 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-06-13 14:29 . 2010-06-13 14:29 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstPCS.exe
2010-06-13 14:28 . 2008-01-17 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-06-13 14:27 . 2010-06-13 14:30 35536248 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Nokia_PC_Suite_eng_web.exe
2010-06-12 21:06 . 2009-12-25 13:33 -------- d-----w- c:\program files\Nokia
2010-06-12 21:05 . 2010-06-12 21:05 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-06-12 21:05 . 2010-06-12 21:05 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-06-12 21:05 . 2010-06-12 21:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-06-12 21:05 . 2010-06-12 21:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-06-12 21:05 . 2010-06-12 21:05 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-06-12 21:05 . 2010-06-12 21:05 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-06-12 21:02 . 2009-12-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-06-12 17:58 . 2010-06-12 17:58 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-12 17:49 . 2010-06-12 17:49 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-12 17:49 . 2010-06-12 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-11 21:58 . 2010-06-12 21:02 98366952 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2010-06-10 05:15 . 2010-06-03 01:51 -------- d-----w- c:\documents and settings\Kiffi\Application Data\FileZilla
2010-06-09 19:52 . 2010-06-09 19:38 65536 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-06-09 19:52 . 2010-06-09 19:38 10134 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2010-06-09 19:48 . 2010-06-09 19:48 -------- d-----w- c:\program files\Corel
2010-06-09 19:45 . 2010-06-09 19:45 -------- d-----w- c:\program files\CorelDRAW Graphics Suite X5
2010-06-09 19:39 . 2010-06-09 19:39 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Corel
2010-06-09 19:38 . 2010-06-09 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-09 19:38 . 2008-01-20 20:47 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-08 03:04 . 2010-06-08 02:04 2828 --sha-w- c:\documents and settings\All Users\Application Data\Protexis\KGyGaAvL.sys
2010-06-08 02:37 . 2010-06-08 02:37 -------- d-----w- c:\program files\Microsoft.NET
2010-06-08 02:05 . 2008-08-07 11:10 77872 -c--a-w- c:\documents and settings\Kiffi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-08 02:04 . 2010-06-08 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2010-06-07 22:35 . 2010-03-03 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-06-02 17:14 . 2010-06-02 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-06-02 16:54 . 2008-01-18 16:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-31 19:02 . 2010-05-31 19:02 503808 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\msvcp71.dll
2010-05-31 19:02 . 2010-05-31 19:02 499712 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\jmc.dll
2010-05-31 19:02 . 2010-05-31 19:02 348160 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\msvcr71.dll
2010-05-31 19:02 . 2010-05-31 19:02 61440 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-488e6cf6-n\decora-sse.dll
2010-05-31 19:02 . 2010-05-31 19:02 12800 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-488e6cf6-n\decora-d3d.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kiffi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kiffi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-03-25 20:21 50528 -c--a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-07-12 15:33 1581056 -c--a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 14:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 14:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2010-03-30 09:16 1820040 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:21 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2010-05-28 11:46 753664 ----a-w- d:\programs\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 08:32 1479680 ----a-w- d:\programs\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 14:27 385024 -c--a-w- d:\programs\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-06-23 21:55 1238352 ----a-w- d:\igre\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"avg8wd"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"IDriverT"=3 (0x3)
"PSI_SVC_2"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\programs\\Limewire\\LimeWire.exe"=
"d:\\programs\\mIRC\\mirc.exe"=
"d:\\programs\\VLC\\vlc.exe"=
"d:\\programs\\Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Igre\\Age of Empires 2\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\igre\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\igre\\Steam\\steamapps\\dave3_pwnz\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1277:TCP"= 1277:TCP:yospih

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.3.2010 11:16 1107336]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 aqbfja;Windows Task;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S2 axzsekqk;Config Network;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 ghyiapj;Manager Update;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S2 rtsouuxl;Server Network;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S2 uyavytl;Microsoft Shell;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S2 xcosa;Universal Network;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 14:00 14336]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aqbfja
uyavytl
rtsouuxl
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AdobeAAMUpdater-1.0 Fallback-DAVID-Kiffi.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe [2010-06-02 02:04]

2010-06-02 c:\windows\Tasks\AdobeAAMUpdater-1.0-DAVID-Kiffi.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-02 01:44]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=sl
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\programs\Firefox\plugins\np-mswmp.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\programs\VLC\npvlc.dll

---- FIREFOX POLICIES ----
d:\programs\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\programs\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\programs\Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\programs\Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\programs\Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\programs\Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\programs\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\programs\Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\programs\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ctfmon - c:\windows\system32\ctfmon.exe
MSConfigStartUp-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-HP Software Update - c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
MSConfigStartUp-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-VirtualCloneDrive - d:\programs\Virtual CloneDrive\VCDDaemon.exe
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442
AddRemove-VirtualCloneDrive - d:\programs\Virtual CloneDrive\vcd-uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\axzsekqk]
"ServiceDll"="c:\windows\system32\vchsguk.dll.old"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ghyiapj]
"ServiceDll"="c:\windows\system32\vchsguk.dll.old"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xcosa]
"ServiceDll"="c:\windows\system32\vchsguk.dll.old"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aqbfja]
"ServiceDll"="c:\windows\system32\jyedq.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rtsouuxl]
"ServiceDll"="c:\windows\system32\jyedq.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uyavytl]
"ServiceDll"="c:\windows\system32\jyedq.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\˙˙*]
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="?$\09"
"ReinstallString"="8.530.0.0000"
"DeviceInstanceIds"=multi:"c:\\program files\\ati\\xp_inf\\cx_68898.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-27 12:35:53
ComboFix-quarantined-files.txt 2010-07-27 10:35

Pre-Run: 2.222.129.152 bytes free
Post-Run: 2.278.092.800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 79B16640899D9CD5526E5B06CF91A994

sjpritch25 · Jul 28, 2010

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/f50/downadup-and-some-other-things-500803.html#post2823251

Collect::
c:\windows\system32\jyedq.dll
c:\windows\system32\vchsguk.dll.old
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\AIM6\\aim6.exe"=-
"d:\\programs\\Limewire\\LimeWire.exe"=-
"d:\\programs\\mIRC\\mirc.exe"=-
"d:\\programs\\VLC\\vlc.exe"=-
"d:\\programs\\Firefox\\firefox.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1277:TCP"=-
Driver::
aqbfja
axzsekqk
ghyiapj
rtsouuxl
uyavytl
xcosa
NetSvc::
aqbfja
uyavytl
rtsouuxl

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

knickers · Jul 29, 2010

here:

ComboFix 10-07-24.06 - Kiffi 29.07.2010 10:31:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.386.1033.18.767.504 [GMT 2:00]
Running from: c:\documents and settings\Kiffi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kiffi\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point

file zipped: c:\windows\system32\jyedq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jyedq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AQBFJA
-------\Legacy_AXZSEKQK
-------\Legacy_GHYIAPJ
-------\Legacy_RTSOUUXL
-------\Legacy_UYAVYTL
-------\Legacy_XCOSA
-------\Service_aqbfja
-------\Service_axzsekqk
-------\Service_ghyiapj
-------\Service_rtsouuxl
-------\Service_uyavytl
-------\Service_xcosa

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-28 10:07 . 2010-07-28 10:07 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Remobo
2010-07-27 22:50 . 2010-07-28 14:09 -------- d-----w- c:\documents and settings\Kiffi\Application Data\QuickScan
2010-07-21 15:04 . 2010-07-29 08:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 16:02 -------- d-----w- c:\documents and settings\Kiffi\Local Settings\Application Data\LogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 15:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\BACKUPLogMeIn Hamachi
2010-07-21 14:56 . 2010-07-21 14:56 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-07-21 06:54 . 2010-07-21 06:55 -------- d-----w- c:\program files\Ventrilo
2010-07-21 06:54 . 2010-07-21 06:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-15 08:38 . 2010-07-15 10:37 30280 ----a-w- c:\windows\DIIUnin.dat
2010-07-15 08:38 . 2010-07-15 08:38 94208 ----a-w- c:\windows\DIIUnin.exe
2010-07-15 08:38 . 2010-07-15 08:38 2829 ----a-w- c:\windows\DIIUnin.pif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 18:58 . 2008-08-23 15:28 -------- d-----w- c:\documents and settings\Kiffi\Application Data\LimeWire
2010-07-27 14:50 . 2010-06-09 19:39 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-26 14:32 . 2008-04-07 16:10 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-07-24 21:28 . 2008-08-06 13:18 -------- d-----w- c:\documents and settings\Kiffi\Application Data\WinAmp
2010-07-21 14:56 . 2008-10-25 21:09 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Hamachibackup
2010-07-15 07:24 . 2008-09-16 09:21 -------- d-----w- c:\documents and settings\Kiffi\Application Data\uTorrent
2010-06-25 09:46 . 2010-06-25 09:46 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Auslogics
2010-06-24 17:36 . 2010-06-24 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-24 17:35 . 2010-06-24 17:35 -------- d-----w- c:\program files\NOS
2010-06-23 21:51 . 2009-04-07 13:45 7480 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-23 13:16 . 2010-06-23 13:16 9158 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\program files\USB TV
2010-06-23 13:15 . 2008-01-16 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 13:15 . 2010-06-23 13:15 -------- d-----w- c:\documents and settings\Kiffi\Application Data\InstallShield
2010-06-23 13:03 . 2010-06-23 13:03 -------- d-----w- c:\program files\ATI Technologies
2010-06-23 12:18 . 2008-08-22 15:33 -------- d-----w- c:\documents and settings\Kiffi\Application Data\mIRC
2010-06-22 16:56 . 2008-10-10 19:34 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-22 16:56 . 2008-10-10 19:33 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-22 13:43 . 2009-01-17 02:06 139152 -c--a-w- c:\documents and settings\Kiffi\Application Data\PnkBstrK.sys
2010-06-22 13:43 . 2009-01-17 02:06 139152 -c--a-w- c:\documents and settings\Kiffi\Application Data\PnkBstrK.sys
2010-06-22 13:42 . 2009-01-17 02:06 794408 -c--a-w- c:\windows\system32\pbsvc.exe
2010-06-22 12:03 . 2008-10-10 19:33 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-13 23:59 . 2010-06-13 23:59 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-13 23:59 . 2010-06-13 23:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-06-13 17:35 . 2008-04-09 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-13 17:32 . 2010-04-17 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-13 14:36 . 2010-06-13 14:36 -------- d-----w- c:\program files\Common Files\PCSuite
2010-06-13 14:36 . 2010-06-12 21:07 -------- d-----w- c:\program files\Common Files\Nokia
2010-06-13 14:29 . 2010-06-13 14:29 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\pcswpcsi.exe
2010-06-13 14:29 . 2010-06-13 14:29 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstCCD.exe
2010-06-13 14:29 . 2010-06-13 14:29 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-06-13 14:29 . 2010-06-13 14:29 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Installer\CommonCustomActions\UninstPCS.exe
2010-06-13 14:28 . 2008-01-17 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-06-13 14:27 . 2010-06-13 14:30 35536248 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{18756A46-652E-4ED4-A029-C4940D59F09B}\Nokia_PC_Suite_eng_web.exe
2010-06-12 21:06 . 2009-12-25 13:33 -------- d-----w- c:\program files\Nokia
2010-06-12 21:05 . 2010-06-12 21:05 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-06-12 21:05 . 2010-06-12 21:05 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-06-12 21:05 . 2010-06-12 21:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-06-12 21:05 . 2010-06-12 21:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-06-12 21:05 . 2010-06-12 21:05 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-06-12 21:05 . 2010-06-12 21:05 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-06-12 21:02 . 2009-12-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-06-12 17:58 . 2010-06-12 17:58 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-12 17:49 . 2010-06-12 17:49 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-12 17:49 . 2010-06-12 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-11 21:58 . 2010-06-12 21:02 98366952 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2010-06-10 05:15 . 2010-06-03 01:51 -------- d-----w- c:\documents and settings\Kiffi\Application Data\FileZilla
2010-06-09 19:52 . 2010-06-09 19:38 65536 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2010-06-09 19:52 . 2010-06-09 19:38 10134 ----a-r- c:\documents and settings\Kiffi\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2010-06-09 19:48 . 2010-06-09 19:48 -------- d-----w- c:\program files\Corel
2010-06-09 19:45 . 2010-06-09 19:45 -------- d-----w- c:\program files\CorelDRAW Graphics Suite X5
2010-06-09 19:39 . 2010-06-09 19:39 -------- d-----w- c:\documents and settings\Kiffi\Application Data\Corel
2010-06-09 19:38 . 2010-06-09 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-06-09 19:38 . 2008-01-20 20:47 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-08 03:04 . 2010-06-08 02:04 2828 --sha-w- c:\documents and settings\All Users\Application Data\Protexis\KGyGaAvL.sys
2010-06-08 02:37 . 2010-06-08 02:37 -------- d-----w- c:\program files\Microsoft.NET
2010-06-08 02:05 . 2008-08-07 11:10 77872 -c--a-w- c:\documents and settings\Kiffi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-08 02:04 . 2010-06-08 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis
2010-06-07 22:35 . 2010-03-03 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2010-06-02 17:14 . 2010-06-02 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-06-02 16:54 . 2008-01-18 16:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-31 19:02 . 2010-05-31 19:02 503808 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\msvcp71.dll
2010-05-31 19:02 . 2010-05-31 19:02 499712 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\jmc.dll
2010-05-31 19:02 . 2010-05-31 19:02 348160 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1f20db1e-n\msvcr71.dll
2010-05-31 19:02 . 2010-05-31 19:02 61440 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-488e6cf6-n\decora-sse.dll
2010-05-31 19:02 . 2010-05-31 19:02 12800 ----a-w- c:\documents and settings\Kiffi\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-488e6cf6-n\decora-d3d.dll
2010-05-31 14:34 . 2010-07-27 22:50 702120 ----a-w- c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-05-31 14:34 . 2010-07-27 22:50 868456 ----a-w- c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-27_10.32.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 15:21 . 2009-04-22 15:21 26112 c:\windows\system32\drivers\remobo32.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kiffi^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kiffi\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 02:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-03-25 20:21 50528 -c--a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-07-12 15:33 1581056 -c--a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 14:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 14:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2010-03-30 09:16 1820040 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:21 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2010-05-28 11:46 753664 ----a-w- d:\programs\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2010-05-14 08:32 1479680 ----a-w- d:\programs\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-10 14:27 385024 -c--a-w- d:\programs\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remobo]
2010-01-21 07:05 10758656 ----a-w- d:\programs\Remobo\Remobo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 14:28 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-06-23 21:55 1238352 ----a-w- d:\igre\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"avg8wd"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"IDriverT"=3 (0x3)
"PSI_SVC_2"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Igre\\Age of Empires 2\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\igre\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\igre\\Steam\\steamapps\\dave3_pwnz\\counter-strike source\\hl2.exe"=

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.3.2010 11:16 1107336]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 hipeer20;Remobo Instant Private Network;c:\windows\system32\drivers\remobo32.sys [22.4.2009 17:21 26112]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AdobeAAMUpdater-1.0 Fallback-DAVID-Kiffi.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe [2010-06-02 02:04]

2010-06-02 c:\windows\Tasks\AdobeAAMUpdater-1.0-DAVID-Kiffi.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-02 01:44]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=sl
FF - component: c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Kiffi\Application Data\Mozilla\Firefox\Profiles\igf412zi.test\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\programs\Firefox\plugins\np-mswmp.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\programs\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\programs\VLC\npvlc.dll

---- FIREFOX POLICIES ----
d:\programs\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\programs\Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\programs\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\programs\Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\programs\Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\programs\Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\programs\Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\programs\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\programs\Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\programs\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\programs\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\programs\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\programs\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\˙˙*]
"DisplayName"="?\11"
"DeviceDesc"="?\11"
"ProviderName"="?\11???\11\08"
"MFG"="?$\09"
"ReinstallString"="8.530.0.0000"
"DeviceInstanceIds"=multi:"c:\\program files\\ati\\xp_inf\\cx_68898.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3584)
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
d:\programs\nokia\Nokia PC Suite 7\PhoneBrowser.dll
d:\programs\nokia\Nokia PC Suite 7\NGSCM.DLL
d:\programs\nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\programs\nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-29 10:49:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 08:49
ComboFix2.txt 2010-07-27 10:51

Pre-Run: 2.272.481.280 bytes free
Post-Run: 2.168.291.328 bytes free

- - End Of File - - 88D915483988CBD1AD50ACECD6FF09AD

sjpritch25 · Jul 30, 2010

i need the collected file from Combofix

Please post this log
C:\Qoobox\ComboFix-quarantined-files.txt

I need you to upload this zip file

Submit_2010-07-29@10.31.zip

I need it upload here
http://www.bleepingcomputer.com/submit-malware.php?channel=70

Thanks

knickers · Jul 30, 2010

I uploaded it

sjpritch25 · Jul 30, 2010

Thanks. The researchers thank you. How is everything running??

knickers · Jul 31, 2010

Well, it's running fine. Microsoft.com and those sites work, scanners are telling me everything is okay...

So, thanks.

sjpritch25 · Jul 31, 2010

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

=========================================

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:

Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update
How to update Adobe Acrobat Reader
1. On your desktop, double-click on your Adobe icon.
2. Click on Help.
3. Click on Check for Updates.
4. Visit my blog Here to view the video.
How to update Jave SE Runtime
1. Go to Start.
2. Click on Control Panel
3. Double-Click on the Java icon.
4. Click on Update tab
5. Click on Update Now.
6. Visit my blog Here to view the video.
Check out Tony Klein's "So how did i get infected in the first place" here

downadup and some other things...

Top Contributors this Month

Recommended Communities