Tech Support Forum banner
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Read Only
Joined
·
25 Posts
Discussion Starter · #1 ·
Alright guys, I'm used to fixing most computer problems by myself (being a part time IT guy and all) but I simply cannot get rid of these two viruses (are they one combo virus?). And you guys are really awesome so I need your help! :p

Seems like i have the typical google redirect virus (though I did some research and the files that most people were infected with were not present on my computer, same for the random audio virus) that I kind of crippled after deleting some files but it's still affecting my google searches. Furthermore, I have the random audio virus which plays audio clips randomly every once in a while and indeed the iexplorer.exe services pops up in my task manager everytime it plays (two of them actually). These two viruses seem to go hand in hand in the research I did, kinda sucks...

I removed PowerISO and then followed the procedure you guys outlined, here's the info:



DDS (Ver_09-11-24.02) - NTFSx86
Run by Ben at 8:20:41.90 on 26/11/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.2046.1094 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Users\Ben\AppData\Local\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Users\Ben\AppData\Local\Temp\Adobelm_Cleanup.0001
C:\Windows\system32\wuauclt.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ben\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-12 53328]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-25 1153368]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

=============== Created Last 30 ================

2009-11-26 04:15:30 341639683 ----a-w- c:\windows\MEMORY.DMP
2009-11-26 01:10:55 0 d-----w- C:\Device
2009-11-26 00:46:28 98816 ----a-w- c:\windows\sed.exe
2009-11-26 00:46:28 77312 ----a-w- c:\windows\MBR.exe
2009-11-26 00:46:28 260608 ----a-w- c:\windows\PEV.exe
2009-11-26 00:46:28 161792 ----a-w- c:\windows\SWREG.exe
2009-11-26 00:12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 00:12:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 00:08:02 524288 --sha-w- c:\users\ben\ntuser.dat{cb3f81d1-da1e-11de-bb04-c9e85aac3db5}.TMContainer00000000000000000002.regtrans-ms
2009-11-26 00:08:02 524288 --sha-w- c:\users\ben\ntuser.dat{cb3f81d1-da1e-11de-bb04-c9e85aac3db5}.TMContainer00000000000000000001.regtrans-ms
2009-11-26 00:08:01 65536 --sha-w- c:\users\ben\ntuser.dat{cb3f81d1-da1e-11de-bb04-c9e85aac3db5}.TM.blf
2009-11-25 23:12:00 0 d-----w- c:\users\ben\appdata\roaming\Malwarebytes
2009-11-25 23:11:08 0 d-----w- c:\programdata\Malwarebytes
2009-11-25 23:11:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 22:15:24 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-25 22:15:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-19 22:06:48 0 d-----w- c:\users\ben\appdata\roaming\Nokia Ovi Suite
2009-11-19 22:06:07 0 d-----w- c:\programdata\Nokia
2009-11-19 22:02:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-11-19 22:00:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-11-19 21:59:54 0 d-----w- c:\programdata\PC Suite
2009-11-19 21:21:52 0 d-----w- c:\program files\common files\Nokia
2009-11-19 21:20:41 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-11-19 21:20:09 0 d-----w- c:\program files\PC Connectivity Solution
2009-11-19 21:19:41 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-11-19 21:18:08 0 d-----w- c:\programdata\OviInstallerCache
2009-11-19 21:18:08 0 d-----w- c:\program files\Nokia
2009-11-19 18:26:23 0 d-----w- c:\program files\iTunes
2009-11-18 20:02:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-11-18 20:01:04 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-11-15 04:07:21 0 d-----w- C:\PSFONTS
2009-11-15 04:06:54 0 d-----w- c:\program files\Finale NotePad 2010
2009-11-12 13:55:57 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-11 20:55:42 0 ----a-w- c:\windows\ViewNX.INI
2009-11-11 20:49:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-11 20:41:17 110592 ----a-r- c:\windows\system32\RCSigProc.dll
2009-11-11 20:41:16 6475096 ----a-w- c:\windows\system32\NEFcodec.dll
2009-11-11 20:41:16 200704 ----a-r- c:\windows\system32\Strato7.dll
2009-11-11 20:30:29 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2009-11-11 20:28:59 0 d-----w- c:\program files\common files\muvee Technologies
2009-11-11 20:28:55 0 d-----w- c:\programdata\Nikon
2009-11-11 20:28:55 0 d-----w- c:\program files\common files\Nikon
2009-11-11 20:28:46 0 d-----w- c:\program files\Nikon
2009-11-11 20:27:59 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-11-11 20:27:59 0 d-----w- c:\programdata\Ultima_T15
2009-11-11 20:27:59 0 d-----w- c:\programdata\EnterNHelp
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-11-05 08:00:45 34118 ----a-w- c:\windows\scunin.dat
2009-11-05 08:00:44 967 ----a-w- c:\windows\ScUnin.pif
2009-11-05 08:00:44 70656 ----a-w- c:\windows\ScUnin.exe
2009-11-05 07:16:33 0 d-----w- c:\program files\Starcraft
2009-11-02 15:05:38 0 d-----w- c:\program files\Microsoft Games

==================== Find3M ====================

2009-11-26 03:56:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 00:49:20 21584 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-18 20:54:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-17 03:27:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-10-07 15:05:14 232712 ----a-w- c:\windows\system32\PDBoot.exe
2009-10-02 04:06:59 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 16:41:28 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-10 05:52:05 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-03 07:04:15 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-08-29 06:57:31 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 06:54:52 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 8:22:22.84 ===============


Thanks a bunch in advance for your help and expertise!!! :)
 

Attachments

·
Read Only
Joined
·
25 Posts
Discussion Starter · #2 ·
well, it actually seems like the virus is gone (kind of a long story, stuff happened between this thread's posting and now, will explain at another time) but I'll run another scan and post it when I have time later tonight.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
We'll also need to see all ComboFix reports. You'll find them at C:\ComboFix.txt and the previous reports in C:\Qoobox.

Regardless that you are an part time IT person, please take note of Post 2 in our pre-posting topic, as well as the Disclaimer you had to OK to run ComboFix. Going forward, I highly recommend you heed such instructions.

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.
 

·
Read Only
Joined
·
25 Posts
Discussion Starter · #4 ·
Yeah, I actually did read that but didn't see the part in the middle, I just assumed y'all didn't want us to run a combofix scan at all. I'll post one up soon :). thanks!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I don't want you to - you, or someone already did on November 26th. Please navigate to C:\ComboFix.txt and you'll find the report there. Post the contents please. Do not run it again.
 

·
Read Only
Joined
·
25 Posts
Discussion Starter · #6 ·
oh shoot yeah, that was from before... i had read about a way to fix it on another site and tried it but it didn't seem to work.

here:
ComboFix 09-11-25.03 - Ben 25/11/2009 19:53.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.2046.1166 [GMT -5:00]
Running from: c:\users\Ben\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Ben\Desktop\cfscript.txt

FILE ::
"c:\program files\AdvancedVirusRemover\PAVRM.exe"
"c:\windows\system32\AVR09.exe"
"c:\windows\system32\winhelper.dll"
"c:\windows\system32\winupdate.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_BITS


((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-26 01:10 . 2009-11-26 01:10 -------- d-----w- C:\Device
2009-11-26 00:45 . 2009-11-26 00:46 -------- d-----w- C:\32788R22FWJFW
2009-11-26 00:12 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 00:12 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 23:12 . 2009-11-25 23:12 -------- d-----w- c:\users\Ben\AppData\Roaming\Malwarebytes
2009-11-25 23:11 . 2009-11-26 00:12 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 23:11 . 2009-11-25 23:11 -------- d-----w- c:\programdata\Malwarebytes
2009-11-25 22:15 . 2009-11-26 00:06 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 22:15 . 2009-11-26 00:06 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\users\Ben\AppData\Roaming\Nokia Ovi Suite
2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\programdata\Nokia
2009-11-19 21:59 . 2009-11-19 22:23 -------- d-----w- c:\users\Ben\AppData\Roaming\Nokia
2009-11-19 21:59 . 2009-11-19 21:59 -------- d-----w- c:\users\Ben\AppData\Local\Nokia
2009-11-19 21:59 . 2009-11-19 22:01 -------- d-----w- c:\programdata\PC Suite
2009-11-19 21:59 . 2009-11-19 22:07 -------- d-----w- c:\users\Ben\AppData\Roaming\PC Suite
2009-11-19 21:59 . 2009-11-19 21:59 -------- d-----w- c:\users\Ben\AppData\Local\NokiaAccount
2009-11-19 21:21 . 2009-11-19 21:22 4096 d-----w- c:\program files\Common Files\Nokia
2009-11-19 21:20 . 2008-08-26 15:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-11-19 21:20 . 2009-11-19 21:20 12288 d-----w- c:\program files\PC Connectivity Solution
2009-11-19 21:19 . 2009-02-09 13:37 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-11-19 21:18 . 2009-11-19 21:18 12212040 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2009-11-19 21:18 . 2009-11-19 21:18 13930312 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2009-11-19 21:18 . 2009-11-19 21:18 77824 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2009-11-19 21:18 . 2009-11-19 21:18 61440 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx86.exe
2009-11-19 21:18 . 2009-11-19 21:18 58880 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx64.exe
2009-11-19 21:18 . 2009-11-19 21:18 50000 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\pcswpc.exe
2009-11-19 21:18 . 2009-11-19 21:09 94628904 ----a-w- c:\programdata\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-11-19 21:18 . 2009-11-19 21:20 -------- d-----w- c:\program files\Nokia
2009-11-19 21:18 . 2009-11-19 21:18 -------- d-----w- c:\programdata\OviInstallerCache
2009-11-19 18:26 . 2009-11-19 18:27 4096 d-----w- c:\program files\iTunes
2009-11-19 18:21 . 2009-11-19 18:21 4096 d-----w- c:\program files\QuickTime
2009-11-18 20:01 . 2009-07-20 17:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-11-18 20:00 . 2009-11-18 20:00 10134 ----a-r- c:\users\Ben\AppData\Roaming\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
2009-11-18 20:00 . 2009-11-18 20:02 -------- d-----w- c:\program files\Common Files\Logishrd
2009-11-15 04:07 . 2009-11-15 04:07 4096 d-----w- C:\PSFONTS
2009-11-15 04:06 . 2009-11-15 04:39 4096 d-----w- c:\program files\Finale NotePad 2010
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-12 13:56 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-12 13:56 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-12 13:56 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-12 13:56 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-12 13:55 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-12 13:55 . 2009-09-15 11:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-12 13:55 . 2009-11-12 13:55 -------- d-----w- c:\program files\Alwil Software
2009-11-11 20:50 . 2009-11-11 20:53 -------- d-----w- c:\users\Ben\AppData\Roaming\Nikon
2009-11-11 20:41 . 2008-01-10 15:51 110592 ----a-r- c:\windows\system32\RCSigProc.dll
2009-11-11 20:41 . 2008-06-12 15:29 6475096 ----a-w- c:\windows\system32\NEFcodec.dll
2009-11-11 20:41 . 2008-01-10 15:16 200704 ----a-r- c:\windows\system32\Strato7.dll
2009-11-09 09:11 . 2009-11-09 09:11 593920 ----a-w- c:\users\Ben\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2009-11-09 09:11 . 2009-11-09 09:11 319488 ----a-w- c:\users\Ben\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-11-05 08:00 . 2009-11-05 08:15 34118 ----a-w- c:\windows\scunin.dat
2009-11-05 08:00 . 2009-11-05 08:15 967 ----a-w- c:\windows\ScUnin.pif
2009-11-05 08:00 . 2009-11-05 08:15 70656 ----a-w- c:\windows\ScUnin.exe
2009-11-05 07:16 . 2009-11-24 19:19 12288 d-----w- c:\program files\Starcraft
2009-11-02 15:23 . 2009-11-02 22:05 -------- d-----w- c:\users\Ben\AppData\Local\Microsoft Games
2009-11-02 15:05 . 2009-11-02 15:05 4096 d-----w- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 00:49 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-26 00:06 . 2009-10-17 18:50 -------- d-----w- c:\program files\AVG
2009-11-25 18:17 . 2009-10-18 03:05 4096 d-----w- c:\users\Ben\AppData\Roaming\DC++
2009-11-25 05:52 . 2009-10-17 02:16 118024 ----a-w- c:\users\Ben\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-24 18:51 . 2009-10-21 22:24 4096 d-----w- c:\users\Ben\AppData\Roaming\uTorrent
2009-11-24 16:08 . 2009-10-25 08:58 8192 d-----w- c:\users\Ben\AppData\Roaming\FrostWire
2009-11-24 13:01 . 2009-10-17 18:58 8192 d-----w- c:\users\Ben\AppData\Roaming\skypePM
2009-11-24 01:50 . 2009-10-17 18:57 4096 d-----w- c:\users\Ben\AppData\Roaming\Skype
2009-11-22 22:55 . 2009-11-11 20:30 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2009-11-22 22:54 . 2009-11-11 20:27 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-11-19 22:16 . 2009-10-19 04:15 -------- d-----w- c:\program files\Common Files\Apple
2009-11-19 22:02 . 2009-11-19 22:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-11-19 22:00 . 2009-11-19 22:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-11-19 18:26 . 2009-10-19 04:17 -------- d-----w- c:\programdata\Apple Computer
2009-11-18 20:02 . 2009-10-17 03:23 -------- d-----w- c:\programdata\LogiShrd
2009-11-18 20:02 . 2009-11-18 20:02 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-11-18 20:01 . 2009-10-17 03:24 -------- d-----w- c:\program files\Common Files\Logitech
2009-11-18 20:00 . 2009-10-17 02:29 4096 d--h--w- c:\program files\InstallShield Installation Information
2009-11-11 20:50 . 2009-11-11 20:28 4096 d-----w- c:\program files\Common Files\Nikon
2009-11-11 20:49 . 2009-11-11 20:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-11 20:35 . 2009-11-11 20:35 49152 ----a-r- c:\users\Ben\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-11-11 20:34 . 2009-11-11 20:34 335872 ----a-r- c:\users\Ben\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2009-11-11 20:33 . 2009-11-11 20:33 57344 ----a-r- c:\users\Ben\AppData\Roaming\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-11-11 20:31 . 2009-11-11 20:28 -------- d-----w- c:\program files\Nikon
2009-11-11 20:30 . 2009-11-11 20:27 -------- d-----w- c:\programdata\Ultima_T15
2009-11-11 20:30 . 2009-11-11 20:27 -------- d-----w- c:\programdata\EnterNHelp
2009-11-11 20:28 . 2009-11-11 20:28 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-11-11 20:28 . 2009-11-11 20:28 -------- d-----w- c:\programdata\Nikon
2009-11-11 20:27 . 2009-10-21 23:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-11 18:53 . 2009-10-17 19:40 8192 d-----w- c:\programdata\Microsoft Help
2009-11-03 01:42 . 2009-10-17 02:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 15:05 . 2009-07-14 04:52 4096 d-----w- c:\program files\DVD Maker
2009-10-26 09:25 . 2009-10-17 19:11 -------- d-----w- c:\program files\IObit
2009-10-26 05:06 . 2009-10-17 18:01 4096 d-----w- c:\program files\Common Files\Adobe
2009-10-25 21:23 . 2009-10-25 21:22 -------- d-----w- c:\program files\MSN Virus Remover
2009-10-25 09:19 . 2009-10-25 09:19 0 ----a-w- c:\users\Ben\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-25 08:58 . 2009-10-25 08:57 24576 d-----w- c:\program files\FrostWire
2009-10-21 23:13 . 2009-10-21 23:13 -------- d-----w- c:\program files\Altera
2009-10-21 22:49 . 2009-10-21 22:49 -------- d-----w- c:\programdata\Raxco
2009-10-21 22:49 . 2009-10-21 21:55 -------- d-----w- c:\program files\Raxco
2009-10-21 22:24 . 2009-10-21 22:24 -------- d-----w- c:\program files\uTorrent
2009-10-20 03:35 . 2009-10-20 03:34 -------- d-----w- c:\users\Ben\AppData\Roaming\Media Player Classic
2009-10-20 03:35 . 2009-10-20 03:35 -------- d-----w- c:\users\Ben\AppData\Roaming\DivX
2009-10-19 04:28 . 2009-10-19 04:19 4096 d-----w- c:\users\Ben\AppData\Roaming\Apple Computer
2009-10-19 04:19 . 2009-10-19 04:18 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-19 04:16 . 2009-10-19 04:16 4096 d-----w- c:\program files\Apple Software Update
2009-10-19 04:15 . 2009-10-19 04:15 -------- d-----w- c:\programdata\Apple
2009-10-19 01:09 . 2009-10-19 01:09 4096 d-----w- c:\program files\Xvid
2009-10-19 01:02 . 2009-10-19 01:01 4096 d-----w- c:\program files\DivX
2009-10-19 01:02 . 2009-10-19 01:02 4096 d-----w- c:\program files\Common Files\PX Storage Engine
2009-10-19 01:02 . 2009-10-19 01:01 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-10-19 00:40 . 2009-10-19 00:40 -------- d-----w- c:\program files\CoreCodec
2009-10-19 00:34 . 2009-10-19 00:34 4096 d-----w- c:\program files\Combined Community Codec Pack
2009-10-18 20:55 . 2009-10-18 20:55 -------- d-----w- c:\users\Ben\AppData\Roaming\Leadertech
2009-10-18 20:54 . 2009-10-18 20:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-18 20:54 . 2009-10-18 20:50 -------- d-----w- c:\program files\epson
2009-10-18 20:53 . 2009-10-18 20:50 4096 d-----w- c:\programdata\EPSON
2009-10-18 03:05 . 2009-10-18 03:04 4096 d-----w- c:\program files\DC++
2009-10-18 03:04 . 2009-10-18 03:04 -------- d-----w- c:\program files\CCleaner
2009-10-17 21:23 . 2009-10-17 19:45 4096 d-----w- c:\program files\Microsoft Works
2009-10-17 20:50 . 2009-10-17 18:28 -------- d-----w- c:\program files\Microsoft
2009-10-17 19:43 . 2009-10-17 19:43 -------- d-----w- c:\program files\Microsoft.NET
2009-10-17 19:19 . 2009-10-17 19:11 -------- d-----w- c:\users\Ben\AppData\Roaming\IObit
2009-10-17 19:07 . 2009-10-17 19:07 4096 d-----w- c:\program files\PowerISO
2009-10-17 19:06 . 2009-10-17 19:06 -------- d-----w- c:\program files\tamasoftware
2009-10-17 18:58 . 2009-10-17 18:58 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-17 18:56 . 2009-10-17 18:56 -------- d-----r- c:\program files\Skype
2009-10-17 18:56 . 2009-10-17 18:56 -------- d-----w- c:\program files\Common Files\Skype
2009-10-17 18:56 . 2009-10-17 18:56 -------- d-----w- c:\programdata\Skype
2009-10-17 18:27 . 2009-10-17 18:27 4096 d-----w- c:\program files\Windows Live
2009-10-17 18:27 . 2009-10-17 18:27 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-17 18:24 . 2009-10-17 18:24 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-17 18:05 . 2009-10-17 18:05 -------- d-----w- c:\users\Ben\AppData\Roaming\AdobeUM
2009-10-17 18:03 . 2009-10-17 18:03 -------- d-----w- c:\programdata\Adobe Systems
2009-10-17 18:02 . 2009-10-17 18:02 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-10-17 17:41 . 2009-10-17 02:43 -------- d-----w- c:\users\Ben\AppData\Roaming\ATI
2009-10-17 17:40 . 2009-10-17 13:51 -------- d-----w- c:\program files\ATI Technologies
2009-10-17 15:36 . 2009-10-17 15:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-17 15:36 . 2009-10-17 15:36 -------- d-----w- c:\program files\Java
2009-10-17 13:54 . 2009-10-17 13:54 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-17 08:53 . 2009-10-17 08:51 4096 d-----w- c:\program files\Driver Sweeper
2009-10-17 08:36 . 2009-10-17 08:36 -------- d-----w- c:\programdata\ATI
2009-10-17 06:39 . 2009-10-17 06:07 -------- d-----w- c:\programdata\Yahoo!
2009-10-17 06:07 . 2009-10-17 06:07 -------- d-----w- c:\program files\Yahoo!
2009-10-17 03:31 . 2009-10-17 02:37 12288 d-----w- c:\program files\MobilityDotNET
2009-10-17 03:27 . 2009-10-17 03:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- c:\users\Ben\AppData\Roaming\Logitech
2009-10-17 03:24 . 2009-10-17 03:24 -------- d-----w- c:\programdata\Logitech
2009-10-17 03:23 . 2009-10-17 03:23 -------- d-----w- c:\program files\Logitech
2009-10-17 03:23 . 2009-10-17 03:23 -------- d-----w- c:\users\Ben\AppData\Roaming\InstallShield
2009-10-17 03:15 . 2009-10-17 03:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-17 03:08 . 2009-10-17 03:08 -------- d-----w- c:\program files\CONEXANT
2009-10-17 03:07 . 2009-10-17 03:07 -------- d-----w- c:\program files\MSXML 4.0
2009-10-17 02:40 . 2009-10-17 02:40 -------- d-----w- c:\program files\ATI
2009-10-17 02:28 . 2009-10-17 02:28 -------- d-----w- c:\programdata\Seagate
2009-10-17 02:28 . 2009-10-17 02:28 -------- d-----w- c:\program files\Seagate
2009-10-07 15:05 . 2009-10-07 15:05 232712 ----a-w- c:\windows\system32\PDBoot.exe
2009-10-02 04:06 . 2009-10-17 03:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 202064]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-02-24 479232]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-16 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/11/2009 8:56 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/11/2009 8:56 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/11/2009 8:55 AM 53328]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [25/09/2009 10:32 PM 189736]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [30/03/2009 3:28 PM 1533808]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [10/06/2009 4:18 PM 4231168]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [19/03/2009 2:48 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [19/03/2009 2:48 PM 8320]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [13/07/2009 5:13 PM 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [13/07/2009 5:13 PM 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [13/07/2009 5:13 PM 661504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
AppMgmt
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3067595896-1473156694-2022579046-1000Core.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-17 02:16]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3067595896-1473156694-2022579046-1000UA.job
- c:\users\Ben\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-17 02:16]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-504244733D18C8F63FF584AEB290E3904E791693 - c:\progra~1\DIFX\B4723E9A0713E5B1\dpinst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1616)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-11-25 20:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 01:43

Pre-Run: 81,787,379,712 bytes free
Post-Run: 81,363,574,784 bytes free

- - End Of File - - A667B8FD15CA03E05A38E14C613F3749

sorry about the confusion!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
i had read about a way to fix it on another site
Did they also provide the CFScript? Was this a self help guide or did you follow what you saw being done for someone else?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Thank you. That article was put up in April of this year and is totally irrelevant to the infection you had on your system. This is why following these so-called self help guides regarding ComboFix are not endorsed, and can be dangerous to follow. It's best to heed the advice by the author of the tool, which is clearly stated in the Disclaimer that you must pass through in order to run the tool. :wink:

So, even after running ComboFix, you are still experiencing redirects?
 

·
Read Only
Joined
·
25 Posts
Discussion Starter · #10 ·
well to be honest, i haven't experienced any redirects and audio problems in a couple of days, it seems to have gone away. if it pops up again, I'll just make another thread, this one can be closed I guess :p.

thanks for your help :)
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I didn't think you should be. Just so you know, the CFscript was not what cleaned your system, it was the hard disk controller hijack that ComboFix targeted and was able to successfully replace.

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT - Web of Trust. This is a free browser add on that warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Please take some time to read the following articles. I think you'll find them quite enlightening:



Take care and surf safely. :wave:
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top