Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Google searches redirect through clickfraud.com to advertising sites...

This is a discussion on Google searches redirect through clickfraud.com to advertising sites... within the Resolved HJT Threads forums, part of the Tech Support Forum category. Google search redirects through clickfraud.com to advertising sites. I live on google search, so it's been very tough for me.


 
 
Thread Tools Search this Thread
Old 03-04-2010, 04:59 PM   #1
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Google search redirects through clickfraud.com to advertising sites.

I live on google search, so it's been very tough for me. I am an internet marketer.

here is my log file


DDS (Ver_09-12-01.01) - NTFSx86
Run by laci at 12:03:36.89 on Thu 03/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.1773 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\Ipen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Chaos Software\Chaos 6\alarm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\laci\Desktop\___software\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: XBTBPos00 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: FingerSystem IE Memo: {8d13872e-6174-49c1-b8d2-793f90ccafac} - c:\program files\finger system inc\fingersystem ipen driver\FGIeMemo.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Creative WebCam Tray] "c:\program files\creative\shared files\CamTray.exe"
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [alarm.exe] "c:\program files\chaos software\chaos 6\alarm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OpAgent] "OpAgent.exe" /agent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [pdfSaver3]
mRun: [ReadPlease2003] c:\program files\readplease 2003\ReadPleasePlus2003.exe
mRun: [j2 4.2] "c:\program files\j2 messenger 4.2\J2GDllCmd.exe" /R
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Simpleology 1.0] c:\program files\simpleology\simpleology wimiki\simpleology Wimiki.exe
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IpenMOUSE] c:\windows\system32\Ipen.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\laci\startm~1\programs\startup\pcpits~1.lnk - c:\program files\pcpitstop\optimize3\Optimize3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 7\SnagIt32.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\local settings\application data\difolders software\blogjet\blogthis.js
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.33.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-94171777763b68e5.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laci\applic~1\mozilla\firefox\profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2010-2-23 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2009-10-7 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-10-4 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-10-7 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-10-12 120472]
S2 adafaabdfabd;79d45979ff44d54775ae9743aff119a9sa;c:\windows\adafaabdfabd.exe [2010-1-29 225312]
S2 efebfcaefb;79d45979ff44d54775ae9743aff119a9;c:\windows\efebfcaefb.exe /s --> c:\windows\efebfcaefb.exe [?]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\google\update\GoogleUpdate.exe [2008-12-28 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [2009-7-24 10048]

=============== Created Last 30 ================

2010-03-04 16:30:23 90112 ----a-w- c:\windows\system32\ccrpTmr6.dll
2010-03-04 16:30:21 0 d-----w- c:\program files\Cool Timer
2010-03-02 1642 0 d-----w- c:\program files\GoldWave
2010-02-28 01:44:20 0 d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12:26 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25:37 0 d-----w- c:\program files\SPExaminer
2010-02-25 16:25:21 638976 ------w- c:\windows\system32\EXCEL9.OLB
2010-02-25 16:25:21 548864 ------w- c:\windows\system32\MSWORD9.OLB
2010-02-25 16:25:21 137000 ------w- c:\windows\system32\MSMAPI32.OCX
2010-02-25 16:23:25 0 d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42:44 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21:57 180224 ----a-w- c:\windows\system32\ijl11.dll
2010-02-16 01:21:57 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:57:56 0 d-----w- c:\program files\Eltima Software
2010-02-06 23:49:30 0 d-----w- c:\program files\iPod
2010-02-06 23:49:24 0 d-----w- c:\program files\iTunes
2010-02-04 2342 0 d-----w- c:\program files\tbh

==================== Find3M ====================

2010-03-04 16:42:42 95776 ----a-w- c:\windows\system32\adafaabdfabd.dll
2010-03-04 00:05:02 72080 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-02-24 04:22:18 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-01-29 13:13:03 225312 ----a-w- c:\windows\adafaabdfabd.exe
2010-01-27 19:10:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-21 00:57:19 68128 ----a-w- c:\windows\system32\efebfcaefb(2)(2).dll
2010-01-03 00:22:51 6429 ----a-w- c:\windows\system32\WORK.DAT
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-22 00:20:05 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2008-03-10 17:48:26 2939142 ----a-w- c:\program files\FLVplayr.exe
1777-09-20 09:14:18 4263 --sh--w- c:\windows\windllreg1c.sys

============= FINISH: 12:04:11.35 ===============
Attached Files
File Type: zip Attach.zip (47.7 KB, 22 views)
mavensophie is offline  
Sponsored Links
Advertisement
 
Old 03-06-2010, 09:51 AM   #2
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

DNA
UseNeXT


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

https://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-06-2010, 06:14 PM   #3
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

this is the combofix log file:

ComboFix 10-03-06.03 - laci 03/06/2010 18:34:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.2395 [GMT -5:00]
Running from: c:\documents and settings\laci\Desktop\___software\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\laci\Application Data\.#
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\documents and settings\laci\Application Data\.#\[email protected]@373FE0.###
c:\documents and settings\laci\Application Data\.#\[email protected]@374010.###
c:\windows\a3kebook.ini
c:\windows\adafaabdfabd.exe
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\adafaabdfabd.dll
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\efebfcaefb(2)(2).dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\images
c:\windows\system32\images\FGWinNT_ToolBar_eng.gif
c:\windows\system32\images\FGWinNT_ToolBar_kor.gif
c:\windows\system32\images\FGWinNT_Tray_eng.bmp
c:\windows\system32\images\FGWinNT_Tray_kor.gif
c:\windows\system32\images\FGWinNT_View_eng.jpg
c:\windows\system32\images\FGWinNT_View_kor.jpg
c:\windows\system32\images\RUN_ENG.JPG
c:\windows\system32\images\RUN_KOR.JPG
c:\windows\system32\images\toolbar_eng.jpg
c:\windows\system32\images\toolbar_kor.jpg
c:\windows\system32\WORK.DAT
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\wc98pp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_adafaabdfabd
-------\Service_adafaabdfabd


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-04 16:30 . 2010-03-04 16:30 -------- d-----w- c:\program files\Cool Timer
2010-03-02 16:06 . 2010-03-02 16:06 -------- d-----w- c:\program files\GoldWave
2010-02-28 01:44 . 2010-02-28 01:44 -------- d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12 . 2010-02-26 15:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25 . 2010-02-25 16:25 -------- d-----w- c:\program files\SPExaminer
2010-02-25 16:23 . 2010-02-25 16:23 -------- d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42 . 2010-02-23 17:42 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21 . 2009-03-22 12:40 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\documents and settings\laci\Application Data\Eltima Software
2010-02-12 20:57 . 2010-02-12 20:57 -------- d-----w- c:\program files\Eltima Software
2010-02-06 23:49 . 2010-02-06 23:49 -------- d-----w- c:\program files\iPod
2010-02-06 23:49 . 2010-02-06 23:51 -------- d-----w- c:\program files\iTunes
2010-02-05 02:52 . 2010-02-05 02:52 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 23:23 . 2008-11-01 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-03-06 23:22 . 2007-09-05 20:09 -------- d-----w- c:\documents and settings\laci\Application Data\Skype
2010-03-06 23:11 . 2007-12-16 00:54 -------- d-----w- c:\program files\DNA
2010-03-06 20:29 . 2007-06-14 00:41 -------- d-----w- c:\program files\NoteTab Pro
2010-03-06 18:19 . 2009-12-02 18:15 -------- d-----w- c:\documents and settings\laci\Application Data\EditPlus 3
2010-03-06 17:55 . 2008-03-13 19:40 -------- d-----w- c:\documents and settings\laci\Application Data\skypePM
2010-03-06 05:09 . 2007-02-27 03:22 -------- d-----w- c:\program files\Google
2010-03-05 02:01 . 2007-07-11 00:56 60744 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-03-04 20:25 . 2007-06-25 18:17 -------- d-----w- c:\program files\The Bat!
2010-03-04 16:45 . 2007-06-28 02:43 106360 ----a-w- c:\documents and settings\laci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 16:36 . 2008-03-23 02:18 -------- d-----w- c:\program files\MagicISO
2010-03-01 13:57 . 2010-01-01 13:55 -------- d-----w- c:\program files\Paint.NET
2010-02-28 19:30 . 2008-08-27 19:14 -------- d-----w- c:\program files\SENuke
2010-02-26 15:35 . 2007-12-16 00:54 -------- d-----w- c:\program files\BitTorrent
2010-02-24 04:22 . 2008-07-31 00:32 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-02-23 17:35 . 2009-10-05 13:59 -------- d-----w- c:\documents and settings\laci\Application Data\BitTorrent
2010-02-22 20:30 . 2008-02-05 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-22 17:06 . 2007-05-02 23:20 5 -c--a-w- c:\windows\system32\system1.dat
2010-02-21 13:53 . 2009-07-11 13:55 -------- d-----w- c:\documents and settings\laci\Application Data\FileZilla
2010-02-17 16:23 . 2007-10-05 18:43 -------- d-----w- c:\documents and settings\laci\Application Data\gtk-2.0
2010-02-17 03:25 . 2009-10-09 18:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-16 15:17 . 2009-09-11 15:40 2427280 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-13 21:09 . 2007-05-05 16:19 -------- d-----w- c:\program files\CuteFTP
2010-02-06 23:49 . 2007-06-30 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:41 . 2007-11-06 15:47 -------- d-----w- c:\program files\QuickTime
2010-02-05 02:52 . 2007-09-05 19:52 -------- d-----w- c:\program files\Skype
2010-02-05 02:52 . 2007-09-05 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-04 23:06 . 2010-02-04 23:06 -------- d-----w- c:\program files\tbh
2010-01-29 14:49 . 2010-01-29 14:49 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2010-01-27 19:11 . 2007-02-27 03:19 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 19:10 . 2009-11-26 13:05 -------- d-----w- c:\program files\Sun
2010-01-27 19:10 . 2010-01-27 19:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-27 19:10 . 2007-02-27 03:19 -------- d-----w- c:\program files\Java
2010-01-26 02:23 . 2009-12-02 18:15 -------- d-----w- c:\program files\EditPlus 3
2010-01-25 18:20 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\laci\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\program files\Easy Duplicate Finder
2010-01-25 16:07 . 2009-10-02 13:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-25 16:06 . 2008-11-29 13:36 -------- d-----w- c:\program files\Squeeze Page Creator Pro
2010-01-25 16:00 . 2008-10-01 15:26 -------- d-----w- c:\program files\Project Buzz
2010-01-24 22:20 . 2009-07-11 13:55 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-23 00:53 . 2010-01-23 00:53 -------- d-----w- c:\program files\iZotope
2010-01-23 00:51 . 2007-05-02 21:37 -------- d-----w- c:\program files\SONY
2010-01-22 23:54 . 2009-03-20 23:30 -------- d-----w- c:\documents and settings\laci\Application Data\Sony
2010-01-22 23:48 . 2009-03-20 23:12 -------- d-----w- c:\program files\Sony Setup
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\program files\Nuance
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\documents and settings\laci\Application Data\PCPitstop
2010-01-21 02:15 . 2009-11-01 00:37 -------- d-----w- c:\program files\My.Freeze.com Toolbar
2010-01-20 05:55 . 2007-05-02 23:18 -------- d-----w- c:\program files\easetech
2010-01-20 03:29 . 2007-04-19 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-20 03:26 . 2007-08-14 14:11 -------- d-----w- c:\program files\TechSmith
2010-01-05 10:00 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-04 18:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 00:20 . 2010-01-18 00:45 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 08:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 08:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-03-10 17:48 . 2009-07-06 00:45 2939142 ----a-w- c:\program files\FLVplayr.exe
2000-06-05 21:47 . 2008-10-13 01:33 32768 ----a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
1777-09-20 09:14 . 1777-09-20 09:14 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 68856]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\452\g2mstart.exe" [2010-02-14 39816]
"alarm.exe"="c:\program files\Chaos Software\Chaos 6\alarm.exe" [2005-04-04 251392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-09 160592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 40960]
"ReadPlease2003"="c:\program files\ReadPlease 2003\ReadPleasePlus2003.exe" [2002-09-23 1814016]
"j2 4.2"="c:\program files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IpenMOUSE"="c:\windows\system32\Ipen.exe" [2003-05-19 40960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-04 198160]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]

c:\documents and settings\laci\Start Menu\Programs\Startup\
PC Pitstop Optimize3.lnk - c:\program files\PCPitstop\Optimize3\Optimize3.exe [2009-10-20 206048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
SnagIt 7.lnk - c:\program files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 3719168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CuteFTP\\CUTFTP32.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\PHPRunner4.0\\PHPRunner.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\laci\\Application Data\\Thinstall\\Adobe Photoshop CS3\\4000005700003h\\mDNSResponder.exe"=
"c:\\Program Files\\PhraseExpress\\phraseexpress.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmdnew\\TOTALCMD.EXE"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9284:TCP"= 9284:TCP:BitComet 9284 TCP
"9284:UDP"= 9284:UDP:BitComet 9284 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2/23/2010 12:42 PM 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [1/13/2006 8:00 AM 15872]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 9:16 AM 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/4/2009 1:07 PM 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [10/7/2009 7:50 AM 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 9:57 AM 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [10/12/2009 8:02 AM 120472]
S2 efebfcaefb;79d45979ff44d54775ae9743aff119a9;c:\windows\efebfcaefb.exe /s --> c:\windows\efebfcaefb.exe [?]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2008 7:39 PM 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [7/24/2009 4:20 PM 10048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
FF - ProfilePath - c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Creative WebCam Tray - c:\program files\Creative\Shared Files\CamTray.exe
HKCU-Run-OpAgent - OpAgent.exe
HKLM-Run-pdfSaver3 - (no file)
HKLM-Run-Simpleology 1.0 - c:\program files\Simpleology\simpleology Wimiki\simpleology Wimiki.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-03-06 18:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Citrix\GoToMeeting\452\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\452\g2mlauncher.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\TechSmith\SnagIt 7\TSCHelp.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-06 18:58:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 23:57

Pre-Run: 3,760,967,680 bytes free
Post-Run: 3,602,059,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8D164F7817DCE55586387CAE41C02DCD


this is the dds.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by laci at 21:09:20.48 on Sat 03/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.2501 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\Ipen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Chaos Software\Chaos 6\alarm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\laci\Desktop\___software\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: XBTBPos00 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: FingerSystem IE Memo: {8d13872e-6174-49c1-b8d2-793f90ccafac} - c:\program files\finger system inc\fingersystem ipen driver\FGIeMemo.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [alarm.exe] "c:\program files\chaos software\chaos 6\alarm.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [ReadPlease2003] c:\program files\readplease 2003\ReadPleasePlus2003.exe
mRun: [j2 4.2] "c:\program files\j2 messenger 4.2\J2GDllCmd.exe" /R
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IpenMOUSE] c:\windows\system32\Ipen.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\laci\startm~1\programs\startup\pcpits~1.lnk - c:\program files\pcpitstop\optimize3\Optimize3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 7\SnagIt32.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\local settings\application data\difolders software\blogjet\blogthis.js
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-94171777763b68e5.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laci\applic~1\mozilla\firefox\profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2010-2-23 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2009-10-7 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-10-4 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-10-7 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-10-12 120472]
S2 efebfcaefb;79d45979ff44d54775ae9743aff119a9;c:\windows\efebfcaefb.exe /s --> c:\windows\efebfcaefb.exe [?]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\google\update\GoogleUpdate.exe [2008-12-28 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [2009-7-24 10048]

=============== Created Last 30 ================

2010-03-06 23:26:47 0 d-sha-r- C:\cmdcons
2010-03-06 23:25:55 98816 ----a-w- c:\windows\sed.exe
2010-03-06 23:25:55 77312 ----a-w- c:\windows\MBR.exe
2010-03-06 23:25:55 261632 ----a-w- c:\windows\PEV.exe
2010-03-06 23:25:55 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 16:30:21 0 d-----w- c:\program files\Cool Timer
2010-03-02 1642 0 d-----w- c:\program files\GoldWave
2010-02-28 01:44:20 0 d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12:26 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25:37 0 d-----w- c:\program files\SPExaminer
2010-02-25 16:25:21 638976 ------w- c:\windows\system32\EXCEL9.OLB
2010-02-25 16:25:21 548864 ------w- c:\windows\system32\MSWORD9.OLB
2010-02-25 16:25:21 137000 ------w- c:\windows\system32\MSMAPI32.OCX
2010-02-25 16:23:25 0 d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42:44 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21:57 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:57:56 0 d-----w- c:\program files\Eltima Software
2010-02-06 23:49:30 0 d-----w- c:\program files\iPod
2010-02-06 23:49:24 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-03-05 02:01:32 60744 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-02-24 04:22:18 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-01-27 19:10:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-22 00:20:05 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2008-03-10 17:48:26 2939142 ----a-w- c:\program files\FLVplayr.exe
1777-09-20 09:14:18 4263 --sh--w- c:\windows\windllreg1c.sys

============= FINISH: 21:09:31.84 ===============

I guess you don't need the attach.txt file... correct?

I have uninstalled those two applications you asked me to: I didn't even know I had them... hm.

Thank you.
mavensophie is offline  
Sponsored Links
Advertisement
 
Old 03-07-2010, 02:40 AM   #4
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi and thanks for the logs.

Upload c:\windows\system32\ccdb.sys and c:\windows\system32\system1.dat files to https://www.virustotal.com and post back the results.


Open notepad and copy/paste the text in the quotebox below into it:

Code:
Driver::
efebfcaefb
File::
c:\windows\efebfcaefb.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Uninstall this old Java:
J2SE Runtime Environment 5.0


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-07-2010, 07:28 PM   #5
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

ccdb.sys:

0 bytes size received / Se ha recibido un archivo vacio

system1.dat:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.07 -
AhnLab-V3 5.0.0.2 2010.03.07 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 -
Avast 4.8.1351.0 2010.03.07 -
Avast5 5.0.332.0 2010.03.07 -
AVG 9.0.0.787 2010.03.07 -
BitDefender 7.2 2010.03.07 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.07 -
eSafe 7.0.17.0 2010.03.04 -
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 -
F-Secure 9.0.15370.0 2010.03.07 -
Fortinet 4.0.14.0 2010.03.07 -
GData 19 2010.03.07 -
Ikarus T3.1.1.80.0 2010.03.07 -
Jiangmin 13.0.900 2010.03.07 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.07 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 -
McAfee-GW-Edition 6.8.5 2010.03.07 -
Microsoft 1.5502 2010.03.07 -
NOD32 4922 2010.03.07 -
Norman 6.04.08 2010.03.07 -
nProtect 2009.1.8.0 2010.03.07 -
Panda 10.0.2.2 2010.03.07 -
PCTools 7.0.3.5 2010.03.04 -
Prevx 3.0 2010.03.08 -
Rising 22.37.06.04 2010.03.07 -
Sophos 4.51.0 2010.03.07 -
Sunbelt 5780 2010.03.07 -
Symantec 20091.2.0.41 2010.03.07 -
TheHacker 6.5.1.9.223 2010.03.07 -
TrendMicro 9.120.0.1004 2010.03.07 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.06 -
Additional information
File size: 5 bytes
MD5...: 198b6e2379d6b0748e562b8c56ac0f12
SHA1..: c9d88789d3e2a8bea047e00b3852819019bb79b2
SHA256: 9d4fb2229db5238e2f816c41a4b977089b1a3cad03f8e17f5ba4b6dccbb1ca3a
ssdeep: 3:y:y
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
mavensophie is offline  
Old 03-07-2010, 07:29 PM   #6
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

ComboFix 10-03-07.02 - laci 03/07/2010 20:42:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.2316 [GMT -5:00]
Running from: c:\documents and settings\laci\Desktop\___software\ComboFix.exe
Command switches used :: c:\documents and settings\laci\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\windows\efebfcaefb.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EFEBFCAEFB
-------\Service_efebfcaefb


((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 02:18 . 2010-03-08 01:15 -------- d-----w- c:\documents and settings\laci\Application Data\The Bat!
2010-03-04 16:30 . 2010-03-04 16:30 -------- d-----w- c:\program files\Cool Timer
2010-03-02 16:06 . 2010-03-02 16:06 -------- d-----w- c:\program files\GoldWave
2010-02-28 01:44 . 2010-02-28 01:44 -------- d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12 . 2010-02-26 15:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25 . 2010-02-25 16:25 -------- d-----w- c:\program files\SPExaminer
2010-02-25 16:23 . 2010-02-25 16:23 -------- d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42 . 2010-02-23 17:42 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21 . 2009-03-22 12:40 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\documents and settings\laci\Application Data\Eltima Software
2010-02-12 20:57 . 2010-02-12 20:57 -------- d-----w- c:\program files\Eltima Software
2010-02-06 23:49 . 2010-02-06 23:49 -------- d-----w- c:\program files\iPod
2010-02-06 23:49 . 2010-02-06 23:51 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 02:00 . 2007-09-05 20:09 -------- d-----w- c:\documents and settings\laci\Application Data\Skype
2010-03-08 01:59 . 2008-03-13 19:40 -------- d-----w- c:\documents and settings\laci\Application Data\skypePM
2010-03-08 01:56 . 2008-11-01 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-03-08 01:30 . 2007-02-27 03:19 -------- d-----w- c:\program files\Java
2010-03-08 00:35 . 2009-12-02 18:15 -------- d-----w- c:\documents and settings\laci\Application Data\EditPlus 3
2010-03-07 03:09 . 2007-06-25 18:17 -------- d-----w- c:\program files\The Bat!
2010-03-06 23:11 . 2007-12-16 00:54 -------- d-----w- c:\program files\DNA
2010-03-06 20:29 . 2007-06-14 00:41 -------- d-----w- c:\program files\NoteTab Pro
2010-03-06 05:09 . 2007-02-27 03:22 -------- d-----w- c:\program files\Google
2010-03-05 02:01 . 2007-07-11 00:56 60744 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-03-04 16:45 . 2007-06-28 02:43 106360 ----a-w- c:\documents and settings\laci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 16:36 . 2008-03-23 02:18 -------- d-----w- c:\program files\MagicISO
2010-03-01 13:57 . 2010-01-01 13:55 -------- d-----w- c:\program files\Paint.NET
2010-02-28 19:30 . 2008-08-27 19:14 -------- d-----w- c:\program files\SENuke
2010-02-26 15:35 . 2007-12-16 00:54 -------- d-----w- c:\program files\BitTorrent
2010-02-24 04:22 . 2008-07-31 00:32 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-02-23 17:35 . 2009-10-05 13:59 -------- d-----w- c:\documents and settings\laci\Application Data\BitTorrent
2010-02-22 20:30 . 2008-02-05 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-22 17:06 . 2007-05-02 23:20 5 -c--a-w- c:\windows\system32\system1.dat
2010-02-21 13:53 . 2009-07-11 13:55 -------- d-----w- c:\documents and settings\laci\Application Data\FileZilla
2010-02-17 16:23 . 2007-10-05 18:43 -------- d-----w- c:\documents and settings\laci\Application Data\gtk-2.0
2010-02-17 03:25 . 2009-10-09 18:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-16 15:17 . 2009-09-11 15:40 2427280 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-13 21:09 . 2007-05-05 16:19 -------- d-----w- c:\program files\CuteFTP
2010-02-06 23:49 . 2007-06-30 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:41 . 2007-11-06 15:47 -------- d-----w- c:\program files\QuickTime
2010-02-05 02:52 . 2010-02-05 02:52 -------- d-----w- c:\program files\Common Files\Skype
2010-02-05 02:52 . 2007-09-05 19:52 -------- d-----w- c:\program files\Skype
2010-02-05 02:52 . 2007-09-05 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-04 23:06 . 2010-02-04 23:06 -------- d-----w- c:\program files\tbh
2010-01-27 19:10 . 2009-11-26 13:05 -------- d-----w- c:\program files\Sun
2010-01-27 19:10 . 2010-01-27 19:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-26 02:23 . 2009-12-02 18:15 -------- d-----w- c:\program files\EditPlus 3
2010-01-25 18:20 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\laci\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\program files\Easy Duplicate Finder
2010-01-25 16:07 . 2009-10-02 13:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-25 16:06 . 2008-11-29 13:36 -------- d-----w- c:\program files\Squeeze Page Creator Pro
2010-01-25 16:00 . 2008-10-01 15:26 -------- d-----w- c:\program files\Project Buzz
2010-01-24 22:20 . 2009-07-11 13:55 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-23 00:53 . 2010-01-23 00:53 -------- d-----w- c:\program files\iZotope
2010-01-23 00:51 . 2007-05-02 21:37 -------- d-----w- c:\program files\SONY
2010-01-22 23:54 . 2009-03-20 23:30 -------- d-----w- c:\documents and settings\laci\Application Data\Sony
2010-01-22 23:48 . 2009-03-20 23:12 -------- d-----w- c:\program files\Sony Setup
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\program files\Nuance
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\documents and settings\laci\Application Data\PCPitstop
2010-01-21 02:15 . 2009-11-01 00:37 -------- d-----w- c:\program files\My.Freeze.com Toolbar
2010-01-20 05:55 . 2007-05-02 23:18 -------- d-----w- c:\program files\easetech
2010-01-20 03:29 . 2007-04-19 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-20 03:26 . 2007-08-14 14:11 -------- d-----w- c:\program files\TechSmith
2010-01-05 10:00 . 2004-08-04 08:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-04 18:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 00:20 . 2010-01-18 00:45 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 08:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 08:00 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-03-10 17:48 . 2009-07-06 00:45 2939142 ----a-w- c:\program files\FLVplayr.exe
2000-06-05 21:47 . 2008-10-13 01:33 32768 ----a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
1777-09-20 09:14 . 1777-09-20 09:14 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 68856]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\452\g2mstart.exe" [2010-02-14 39816]
"alarm.exe"="c:\program files\Chaos Software\Chaos 6\alarm.exe" [2005-04-04 251392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-09 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 40960]
"ReadPlease2003"="c:\program files\ReadPlease 2003\ReadPleasePlus2003.exe" [2002-09-23 1814016]
"j2 4.2"="c:\program files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IpenMOUSE"="c:\windows\system32\Ipen.exe" [2003-05-19 40960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-04 198160]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]

c:\documents and settings\laci\Start Menu\Programs\Startup\
PC Pitstop Optimize3.lnk - c:\program files\PCPitstop\Optimize3\Optimize3.exe [2009-10-20 206048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
SnagIt 7.lnk - c:\program files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 3719168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CuteFTP\\CUTFTP32.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\PHPRunner4.0\\PHPRunner.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\laci\\Application Data\\Thinstall\\Adobe Photoshop CS3\\4000005700003h\\mDNSResponder.exe"=
"c:\\Program Files\\PhraseExpress\\phraseexpress.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmdnew\\TOTALCMD.EXE"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9284:TCP"= 9284:TCP:BitComet 9284 TCP
"9284:UDP"= 9284:UDP:BitComet 9284 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2/23/2010 12:42 PM 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [1/13/2006 8:00 AM 15872]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 9:16 AM 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/4/2009 1:07 PM 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [10/7/2009 7:50 AM 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 9:57 AM 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [10/12/2009 8:02 AM 120472]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2008 7:39 PM 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [7/24/2009 4:20 PM 10048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]

2010-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
FF - ProfilePath - c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-03-07 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Citrix\GoToMeeting\452\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\452\g2mlauncher.exe
c:\program files\TechSmith\SnagIt 7\TSCHelp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-07 21:12:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 02:12
ComboFix2.txt 2010-03-06 23:58

Pre-Run: 4,670,140,416 bytes free
Post-Run: 4,627,529,728 bytes free

- - End Of File - - BB853C03D283586DF808D9333E42F007
mavensophie is offline  
Old 03-08-2010, 06:58 AM   #7
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Just an fyi: the combofix destroys your TheBat email installation: it did it twice, now I made a backup before I ran it.

Is it possible that some bad "bugs" are hiding in my downloaded email messages? dormant? active?

I'd appreciate an answer. thank you.

Kasparky has taken so far 16 hours and it is not done downloading...
mavensophie is offline  
Old 03-08-2010, 09:12 AM   #8
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

Quote:
Just an fyi: the combofix destroys your TheBat email installation: it did it twice, now I made a backup before I ran it.

Is it possible that some bad "bugs" are hiding in my downloaded email messages? dormant? active?

I'd appreciate an answer. thank you.
Sounds like possible false positive. Please attach ComboFix-quarantined-files.txt file to your post. It should be in c:\qoobox folder.


Quote:
Kasparky has taken so far 16 hours and it is not done downloading...
It's still downloading the definitions or doing the scanning?
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-08-2010, 09:33 AM   #9
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

attached is the file of quaranteed files

with regards to Kasparky: still downloading. at 46%. started at 7 pm last night.
Attached Files
File Type: txt ComboFix-quarantined-files.txt (9.1 KB, 24 views)
mavensophie is offline  
Old 03-08-2010, 01:35 PM   #10
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

If downloading hasn't progressed then it's probably stuck. Could you try to re-run Kaspersky installer, please?
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-08-2010, 05:43 PM   #11
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

I am sorry, it looks hopeless with Kaspersky. It gets stuck and won't download the updates beyond 46%

Is there another way to get it, ftp, or something? I am on cable, connection is fast... maybe something with java?

And it ties up my main computer... I have a deadline... please help.
mavensophie is offline  
Old 03-08-2010, 06:52 PM   #12
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Finally Kaspersky is scanning. Let's hope it won't stall. Thank you.
mavensophie is offline  
Old 03-09-2010, 05:44 AM   #13
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Good. If it stalls again let me know and we'll try some other methods.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-09-2010, 08:56 PM   #14
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

it did stall, this time at scanning. at item 66... 10 times in a row.
mavensophie is offline  
Old 03-09-2010, 08:57 PM   #15
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

oh, and one more thing: by now even in IE google searches redirect... the little bugger is expanding its scope of influence
mavensophie is offline  
Old 03-10-2010, 05:48 AM   #16
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

Update Malwarebytes' Anti-Malware definitions and then run a quick scan with it. Let MBAM delete the found items (if any). Post back its report.

Disable your antivirus protection and run ComboFix (let it update itself). Post back the resultant log.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish. Post back the results & fresh dds.txt log.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 03-10-2010, 06:30 PM   #17
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/10/2010 9:29:38 PM
mbam-log-2010-03-10 (21-29-38).txt

Scan type: Quick Scan
Objects scanned: 134608
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\HEViewer.exe (Trojan.Skillis) -> Quarantined and deleted successfully.
mavensophie is offline  
Old 03-10-2010, 06:57 PM   #18
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

ComboFix 10-03-10.03 - laci 03/10/2010 21:40:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.2426 [GMT -5:00]
Running from: c:\documents and settings\laci\Desktop\___software\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.

2010-03-10 22:39 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 02:18 . 2010-03-08 01:15 -------- d-----w- c:\documents and settings\laci\Application Data\The Bat!
2010-03-04 16:30 . 2010-03-04 16:30 -------- d-----w- c:\program files\Cool Timer
2010-03-02 16:06 . 2010-03-02 16:06 -------- d-----w- c:\program files\GoldWave
2010-03-02 13:31 . 2010-03-02 13:31 1956808 ----a-w- c:\documents and settings\laci\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-28 01:44 . 2010-02-28 01:44 -------- d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12 . 2010-02-26 15:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25 . 2010-02-25 16:25 -------- d-----w- c:\program files\SPExaminer
2010-02-25 16:23 . 2010-02-25 16:23 -------- d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42 . 2010-02-23 17:42 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21 . 2009-03-22 12:40 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\documents and settings\laci\Application Data\Eltima Software
2010-02-12 20:57 . 2010-02-12 20:57 -------- d-----w- c:\program files\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 02:51 . 2007-09-05 20:09 -------- d-----w- c:\documents and settings\laci\Application Data\Skype
2010-03-11 02:35 . 2008-11-01 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-03-11 02:33 . 2009-09-06 02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 01:58 . 2009-07-11 13:55 -------- d-----w- c:\documents and settings\laci\Application Data\FileZilla
2010-03-11 01:51 . 2008-03-13 19:40 -------- d-----w- c:\documents and settings\laci\Application Data\skypePM
2010-03-10 23:29 . 2010-03-10 23:29 696832 ----a-w- c:\windows\isRS-000.tmp
2010-03-10 13:11 . 2009-12-02 18:15 -------- d-----w- c:\documents and settings\laci\Application Data\EditPlus 3
2010-03-10 04:53 . 2007-06-14 00:41 -------- d-----w- c:\program files\NoteTab Pro
2010-03-10 01:37 . 2009-07-11 13:55 -------- d-----w- c:\program files\FileZilla FTP Client
2010-03-08 19:59 . 2007-07-11 00:56 72080 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-03-08 01:30 . 2007-02-27 03:19 -------- d-----w- c:\program files\Java
2010-03-07 03:09 . 2007-06-25 18:17 -------- d-----w- c:\program files\The Bat!
2010-03-06 23:11 . 2007-12-16 00:54 -------- d-----w- c:\program files\DNA
2010-03-06 05:09 . 2007-02-27 03:22 -------- d-----w- c:\program files\Google
2010-03-04 16:45 . 2007-06-28 02:43 106360 ----a-w- c:\documents and settings\laci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 16:36 . 2008-03-23 02:18 -------- d-----w- c:\program files\MagicISO
2010-03-01 13:57 . 2010-01-01 13:55 -------- d-----w- c:\program files\Paint.NET
2010-02-28 19:30 . 2008-08-27 19:14 -------- d-----w- c:\program files\SENuke
2010-02-26 15:35 . 2007-12-16 00:54 -------- d-----w- c:\program files\BitTorrent
2010-02-24 04:22 . 2008-07-31 00:32 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-02-23 17:35 . 2009-10-05 13:59 -------- d-----w- c:\documents and settings\laci\Application Data\BitTorrent
2010-02-22 20:30 . 2008-02-05 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-22 17:06 . 2007-05-02 23:20 5 -c--a-w- c:\windows\system32\system1.dat
2010-02-17 16:23 . 2007-10-05 18:43 -------- d-----w- c:\documents and settings\laci\Application Data\gtk-2.0
2010-02-17 03:25 . 2009-10-09 18:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-16 15:17 . 2009-09-11 15:40 2427280 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-13 21:09 . 2007-05-05 16:19 -------- d-----w- c:\program files\CuteFTP
2010-02-06 23:51 . 2010-02-06 23:49 -------- d-----w- c:\program files\iTunes
2010-02-06 23:49 . 2010-02-06 23:49 -------- d-----w- c:\program files\iPod
2010-02-06 23:49 . 2007-06-30 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 23:41 . 2007-11-06 15:47 -------- d-----w- c:\program files\QuickTime
2010-02-06 23:35 . 2010-02-06 23:35 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 02:52 . 2010-02-05 02:52 -------- d-----w- c:\program files\Common Files\Skype
2010-02-05 02:52 . 2007-09-05 19:52 -------- d-----w- c:\program files\Skype
2010-02-05 02:52 . 2007-09-05 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-04 23:06 . 2010-02-04 23:06 -------- d-----w- c:\program files\tbh
2010-01-29 16:07 . 2010-02-05 21:58 2033152 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
2010-01-29 16:07 . 2010-02-05 21:58 2032128 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff35\gears.dll
2010-01-29 16:07 . 2010-02-05 21:58 2032128 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff30\gears.dll
2010-01-29 16:07 . 2010-02-05 21:58 2033152 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff2\gears.dll
2010-01-29 14:49 . 2010-01-29 14:49 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\TeamViewer
2010-01-27 19:10 . 2009-11-26 13:05 -------- d-----w- c:\program files\Sun
2010-01-27 19:10 . 2010-01-27 19:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-26 02:23 . 2009-12-02 18:15 -------- d-----w- c:\program files\EditPlus 3
2010-01-25 18:20 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\laci\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy Duplicate Finder
2010-01-25 18:18 . 2010-01-25 18:18 -------- d-----w- c:\program files\Easy Duplicate Finder
2010-01-25 16:07 . 2009-10-02 13:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-25 16:07 . 2010-01-29 13:13 38784 ----a-w- c:\documents and settings\343f5\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airapp...pinstaller.exe
2010-01-25 16:07 . 2009-10-02 13:16 38784 ----a-w- c:\documents and settings\laci\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airapp...pinstaller.exe
2010-01-25 16:06 . 2008-11-29 13:36 -------- d-----w- c:\program files\Squeeze Page Creator Pro
2010-01-25 16:00 . 2008-10-01 15:26 -------- d-----w- c:\program files\Project Buzz
2010-01-23 00:53 . 2010-01-23 00:53 -------- d-----w- c:\program files\iZotope
2010-01-23 00:51 . 2007-05-02 21:37 -------- d-----w- c:\program files\SONY
2010-01-22 23:54 . 2009-03-20 23:30 -------- d-----w- c:\documents and settings\laci\Application Data\Sony
2010-01-22 23:48 . 2009-03-20 23:12 -------- d-----w- c:\program files\Sony Setup
2010-01-21 22:24 . 2010-01-26 21:20 52224 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
2010-01-21 22:24 . 2010-01-26 21:20 101376 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
2010-01-21 15:57 . 2009-10-31 12:25 71152 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut21_C207166A39DE4B35B3CE8F35C423973B.exe
2010-01-21 15:57 . 2009-10-31 12:25 71152 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut2_8D2B9DEE2E7249CEB360F463F3370804.exe
2010-01-21 15:57 . 2009-10-31 12:25 71152 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut11_9D70A61FD7214BC585565549793FFA8A.exe
2010-01-21 15:57 . 2009-10-31 12:25 71152 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\NewShortcut1_9F88E99FAF234356849120C5725C6B5F.exe
2010-01-21 15:57 . 2009-10-31 12:25 58864 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\ARPPRODUCTICON.exe
2010-01-21 15:57 . 2009-10-31 12:25 54768 ----a-r- c:\documents and settings\laci\Application Data\Microsoft\Installer\{1F2DF2C6-08F7-40BD-8E85-D16CB436E7F0}\UNINST_Uninstall_F_CF49ABBD814F419BA60B0CCC15F0A1F0.exe
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\program files\Nuance
2010-01-21 02:16 . 2010-01-21 02:16 -------- d-----w- c:\documents and settings\laci\Application Data\PCPitstop
2010-01-21 02:15 . 2009-11-01 00:37 -------- d-----w- c:\program files\My.Freeze.com Toolbar
2010-01-20 05:55 . 2007-05-02 23:18 -------- d-----w- c:\program files\easetech
2010-01-20 03:29 . 2007-04-19 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-01-20 03:26 . 2007-08-14 14:11 -------- d-----w- c:\program files\TechSmith
2010-01-07 21:07 . 2009-09-06 02:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-06 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 08:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-04 18:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 08:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 00:20 . 2010-01-18 00:45 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-17 21:37 . 2009-12-31 22:24 31936 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 21:37 . 2009-12-31 22:24 29344 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-16 19:42 . 2009-12-26 13:56 872960 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2009-12-26 13:56 43008 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2009-12-26 13:56 340480 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2009-12-26 13:56 346624 ----a-w- c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-03-10 17:48 . 2009-07-06 00:45 2939142 ----a-w- c:\program files\FLVplayr.exe
2000-06-05 21:47 . 2008-10-13 01:33 32768 ----a-w- c:\program files\mozilla firefox\plugins\AppSub32.dll
1777-09-20 09:14 . 1777-09-20 09:14 4263 --sh--w- c:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "c:\program files\My.Freeze.com Toolbar\freeze_sa_us.dll" [2009-10-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 68856]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\452\g2mstart.exe" [2010-02-14 39816]
"alarm.exe"="c:\program files\Chaos Software\Chaos 6\alarm.exe" [2005-04-04 251392]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-01-09 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 40960]
"ReadPlease2003"="c:\program files\ReadPlease 2003\ReadPleasePlus2003.exe" [2002-09-23 1814016]
"j2 4.2"="c:\program files\j2 Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IpenMOUSE"="c:\windows\system32\Ipen.exe" [2003-05-19 40960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-04 198160]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]

c:\documents and settings\laci\Start Menu\Programs\Startup\
PC Pitstop Optimize3.lnk - c:\program files\PCPitstop\Optimize3\Optimize3.exe [2009-10-20 206048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-8 113664]
SnagIt 7.lnk - c:\program files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 3719168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CuteFTP\\CUTFTP32.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\PHPRunner4.0\\PHPRunner.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\laci\\Application Data\\Thinstall\\Adobe Photoshop CS3\\4000005700003h\\mDNSResponder.exe"=
"c:\\Program Files\\PhraseExpress\\phraseexpress.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmdnew\\TOTALCMD.EXE"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9284:TCP"= 9284:TCP:BitComet 9284 TCP
"9284:UDP"= 9284:UDP:BitComet 9284 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2/23/2010 12:42 PM 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [1/13/2006 8:00 AM 15872]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/7/2009 9:16 AM 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/4/2009 1:07 PM 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [10/7/2009 7:50 AM 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 9:57 AM 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [10/12/2009 8:02 AM 120472]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2008 7:39 PM 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [7/24/2009 4:20 PM 10048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-29 00:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\Local Settings\Application Data\DiFolders Software\BlogJet\blogthis.js
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
FF - ProfilePath - c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\laci\Application Data\Mozilla\Firefox\Profiles\dqzwr47w.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-03-10 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-10 21:54:08
ComboFix-quarantined-files.txt 2010-03-11 02:53
ComboFix2.txt 2010-03-08 02:12
ComboFix3.txt 2010-03-06 23:58

Pre-Run: 3,481,219,072 bytes free
Post-Run: 3,432,464,384 bytes free

- - End Of File - - ECE6C306F7E5E5C2F3A3D9AA3704F0E1
mavensophie is offline  
Old 03-11-2010, 05:37 AM   #19
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

ran eset online, found nothing.

here is dds.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by laci at 8:13:06.12 on Thu 03/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3134.2521 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\Ipen.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Chaos Software\Chaos 6\alarm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Documents and Settings\laci\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://sunlitwater.wordpress.com/2007/02/27/the-little-things/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: XBTBPos00 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: FingerSystem IE Memo: {8d13872e-6174-49c1-b8d2-793f90ccafac} - c:\program files\finger system inc\fingersystem ipen driver\FGIeMemo.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar\freeze_sa_us.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [alarm.exe] "c:\program files\chaos software\chaos 6\alarm.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [ReadPlease2003] c:\program files\readplease 2003\ReadPleasePlus2003.exe
mRun: [j2 4.2] "c:\program files\j2 messenger 4.2\J2GDllCmd.exe" /R
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IpenMOUSE] c:\windows\system32\Ipen.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\laci\startm~1\programs\startup\pcpits~1.lnk - c:\program files\pcpitstop\optimize3\Optimize3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 7\SnagIt32.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {024516FC-2E86-4731-93C6-E6DA04DE62F3} - c:\documents and settings\laci\local settings\application data\difolders software\blogjet\blogthis.js
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-94171777763b68e5.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laci\applic~1\mozilla\firefox\profiles\dqzwr47w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2144081&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://outcall.net/toplist/auto10/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}\lib\ff36\gears.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\{9eb64fa9-57c4-4a41-9940-e12e0418b693}\components\RadioWMPCore.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\laci\application data\mozilla\firefox\profiles\dqzwr47w.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpIpx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ccdb;ccdb;c:\windows\system32\ccdb.sys [2010-2-23 74752]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2009-10-7 472280]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-10-4 90352]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-10-7 185640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-10-12 120472]
S2 gupdate1c9694dee7947f6;Google Update Service (gupdate1c9694dee7947f6);c:\program files\google\update\GoogleUpdate.exe [2008-12-28 133104]
S3 Ipenuf;FingerSystem i-Pen USB Mouse;c:\windows\system32\drivers\Ipenuf.sys [2009-7-24 10048]

=============== Created Last 30 ================

2010-03-10 22:39:04 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 02:18:58 0 d-----w- c:\docume~1\laci\applic~1\The Bat!
2010-03-06 23:26:47 0 d-sha-r- C:\cmdcons
2010-03-06 23:25:55 98816 ----a-w- c:\windows\sed.exe
2010-03-06 23:25:55 77312 ----a-w- c:\windows\MBR.exe
2010-03-06 23:25:55 261632 ----a-w- c:\windows\PEV.exe
2010-03-06 23:25:55 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 16:30:21 0 d-----w- c:\program files\Cool Timer
2010-03-02 1642 0 d-----w- c:\program files\GoldWave
2010-02-28 01:44:20 0 d-----w- c:\program files\TheBestSpinner
2010-02-26 15:12:26 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-25 16:25:37 0 d-----w- c:\program files\SPExaminer
2010-02-25 16:25:21 638976 ------w- c:\windows\system32\EXCEL9.OLB
2010-02-25 16:25:21 548864 ------w- c:\windows\system32\MSWORD9.OLB
2010-02-25 16:25:21 137000 ------w- c:\windows\system32\MSMAPI32.OCX
2010-02-25 16:23:25 0 d-----w- c:\program files\Copywriting Automator
2010-02-23 17:42:44 74752 ----a-w- c:\windows\system32\ccdb.sys
2010-02-16 01:21:57 1310720 ----a-w- c:\windows\system32\ChilkatUpload.dll
2010-02-12 20:57:56 0 d-----w- c:\program files\Eltima Software

==================== Find3M ====================

2010-03-08 19:59:46 72080 -c--a-w- c:\documents and settings\laci\g2mdlhlpx.exe
2010-02-24 04:22:18 167 -c--a-w- c:\documents and settings\laci\udownload.dat
2010-01-27 19:10:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-22 00:20:05 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2008-03-10 17:48:26 2939142 ----a-w- c:\program files\FLVplayr.exe
1777-09-20 09:14:18 4263 --sh--w- c:\windows\windllreg1c.sys

============= FINISH: 8:16:16.89 ===============
mavensophie is offline  
Old 03-11-2010, 06:42 AM   #20
Registered Member
 
Join Date: Aug 2009
Location: syracuse, ny
Posts: 187
OS: win7 64bit, xp (dead), 3 computers total


Send a message via Skype™ to mavensophie

checked my computer, google searches still redirect.

I wonder what it would take for me to run Kaspersky... if that is the solution.
mavensophie is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:06 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts