Tech Support Forum banner

Probably malware, affects browsers (firefox, ie)

Jump to Latest Follow
Status
Not open for further replies.
1 - 15 of 15 Posts
C

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
Hi there

I've had a problem with my computer for some time, it's almost definitely (from my limited knowledge) some form of malware.

I am on Windows Vista SP1, running Kaspersky Internet Security 7.0

When using Google, firefox opens new tabs every time I click on a link, and often the page opened is entirely unrelated to the link. Also ad banners are often replaced with ads for Vimax and other viagra products.

This is happening on my laptop and another laptop connected to the same network wirelessly, but not to a desktop wired up to the router. Also I have found that the problem does not occur on other networks that I connect to.

I have run many virus scans and they consistently fail to turn up anything. What else can I do?

DDS.txt below


DDS (Ver_09-03-16.01) - NTFSx86
Run by Callum at 21:06:23.62 on 08/05/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1026 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\Drivers\WTSRV.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\WTClient.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Callum\AppData\Local\Temp\Low\radD6993.tmp.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Callum\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WTClient] WTClient.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
StartupFolder: c:\users\callum\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\r3hook.dll c:\progra~1\kasper~1\kasper~1.0\adialhk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\callum\appdata\roaming\mozilla\firefox\profiles\oe8xlfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2007-12-11 13312]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2009-4-2 18944]
S2 0285861213634572mcinstcleanup;0285861213634572mcinstcleanup; [x]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2009-4-2 10752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-4-12 120168]

=============== Created Last 30 ================

2009-05-08 18:50 161,792 a------- c:\windows\SWREG.exe
2009-05-08 18:50 98,816 a------- c:\windows\sed.exe
2009-05-08 18:50 <DIR> --d----- C:\ComboFix
2009-05-03 16:57 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-04-29 19:31 <DIR> --d----- c:\program files\Evernote
2009-04-26 09:35 <DIR> --d----- c:\programdata\PopCap
2009-04-26 09:35 <DIR> --d----- c:\progra~2\PopCap
2009-04-26 09:34 <DIR> --d----- c:\program files\PopCap Games
2009-04-23 21:42 <DIR> --d----- c:\users\callum\.phet
2009-04-23 21:28 <DIR> --d----- c:\users\callum\appdata\roaming\Juniper Networks
2009-04-18 23:31 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-04-18 23:31 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-04-18 21:56 <DIR> --d----- c:\program files\Spyware Terminator
2009-04-17 17:26 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-04-17 17:26 72,704 a------- c:\windows\system32\secur32.dll
2009-04-17 17:26 24,064 a------- c:\windows\system32\amxread.dll
2009-04-17 17:26 13,824 a------- c:\windows\system32\apilogen.dll
2009-04-16 21:20 <DIR> --d----- c:\program files\Steinberg
2009-04-16 21:20 <DIR> --d----- c:\program files\Pinnacle
2009-04-16 21:18 <DIR> --d----- c:\programdata\Pinnacle

==================== Find3M ====================

2009-05-08 21:06 41,144,352 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-08 19:06 540,596 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-06 20:16 63,630 a------- c:\users\callum\appdata\roaming\nvModes.dat
2009-04-02 23:24 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-02 23:24 143,360 a------- c:\windows\inf\infstor.dat
2009-04-02 23:24 86,016 a------- c:\windows\inf\infpub.dat
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-14 21:27 34 a------- c:\users\callum\jagex_runescape_preferences.dat
2009-03-03 05:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 05:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 05:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 05:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 05:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 05:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 04:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-03 03:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-02-09 04:10 2,033,152 a------- c:\windows\system32\win32k.sys
2008-06-12 03:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-02 09:53 604 a---h--- c:\program files\STLL Notifier
2008-03-25 19:29 22,328 a------- c:\users\callum\appdata\roaming\PnkBstrK.sys
2008-03-23 17:15 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-08 21:06 262,144 a--sh--- c:\windows\serviceprofiles\networkservice\NTUSER.DAT
2008-08-06 11:06 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-08-06 11:06 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-08-06 11:06 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:07:17.79 ===============
 

Attachments

Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#2 ·
Hello, cw99388 :)
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the
    button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :wink:.

Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

After that, please download this file:
http://www.gmer.net/mbr/mbr.exe
Run that file and post back with the report it creates.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

  1. Please download ComboFix from one of the following mirrors, and save it to your desktop.
  2. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  3. Double click
    on your desktop.
  4. Read and accept (Press Yes) to the disclaimer.
  5. For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  6. ComboFix will run. Simply wait for it to finish.
  7. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • GooredFix's log
  • MBR.exe's log
  • ComboFix.txt
Billy3
 
C

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Hi there,

I couldn't run the MBR.exe, when I tried it flashed up with a black console and then disappeared.

However I do have the other two you requested:

GooredLog

GooredFix v1.92 by jpshortstuff
Log created at 20:11 on 13/05/2009 running Option #2 (Callum)
Firefox version 3.0.10 (en-GB)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"



ComboFix


ComboFix 09-05-13.01 - Callum 13/05/2009 20:34.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1194 [GMT 1:00]
Running from: c:\users\Callum\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-10 17:47 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:57 . 2009-05-10 16:57 -------- d-----w c:\program files\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\programdata\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\users\All Users\Lavasoft
2009-05-10 16:52 . 2009-05-10 16:52 -------- d-----w C:\NVIDIA
2009-05-08 21:41 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-05-08 21:41 . 2003-03-18 19:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 21:41 . 2009-05-08 21:41 -------- d-----w c:\program files\Alwil Software
2009-05-03 15:57 . 2009-05-03 15:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-30 21:02 . 2009-04-30 21:02 9850016 ----a-w c:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 21:02 . 2009-04-30 21:02 795104 ----a-w c:\windows\system32\dpinst.exe
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod146.dll
2009-04-30 21:02 . 2009-04-30 21:02 1704960 ----a-w c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 10366976 ----a-w c:\windows\system32\nvoglv32.dll
2009-04-30 21:02 . 2009-04-30 21:02 457248 ----a-w c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2009-04-30 21:02 3128320 ----a-w c:\windows\system32\nvwgf2um.dll
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\users\Callum\AppData\Local\Evernote
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\program files\Evernote
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\programdata\PopCap
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\users\All Users\PopCap
2009-04-26 08:34 . 2009-04-26 08:34 -------- d-----w c:\program files\PopCap Games
2009-04-23 20:42 . 2009-04-23 20:42 -------- d-----w c:\users\Callum\.phet
2009-04-23 20:28 . 2009-05-04 21:06 -------- d-----w c:\users\Callum\AppData\Roaming\Juniper Networks
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-18 20:56 . 2009-04-28 21:08 -------- d-----w c:\program files\Spyware Terminator
2009-04-17 16:26 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 16:26 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-17 16:26 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-17 16:26 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-17 16:24 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-17 16:24 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-17 16:24 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Pinnacle
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Steinberg
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\programdata\Pinnacle
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\users\All Users\Pinnacle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 19:38 . 2008-06-16 07:12 41850400 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-13 19:26 . 2008-06-16 07:12 563036 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-13 19:25 . 2007-12-11 16:48 12 ----a-w c:\windows\bthservsdp.dat
2009-05-10 17:04 . 2008-08-28 15:22 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-10 17:03 . 2008-08-28 15:23 -------- d-----w c:\program files\AGEIA Technologies
2009-05-10 16:59 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infpub.dat
2009-05-10 16:59 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-05-10 16:58 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstor.dat
2009-05-10 14:41 . 2008-10-28 10:21 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-09 21:06 . 2009-03-13 23:39 -------- d-----w c:\program files\StumbleUpon
2009-05-08 19:56 . 2007-12-11 16:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-08 19:54 . 2009-02-27 18:11 -------- d-----w c:\program files\ZC2.10
2009-05-08 19:53 . 2008-03-25 18:12 -------- d-----w c:\program files\Electronic Arts
2009-05-08 19:50 . 2008-03-20 11:37 -------- d-----w c:\program files\Sibelius Software
2009-05-08 19:45 . 2008-10-29 17:12 -------- d-----w c:\program files\LimeWire
2009-05-08 18:12 . 2008-05-20 20:05 7592 ----a-w c:\users\Callum\AppData\Local\d3d9caps.dat
2009-05-06 19:16 . 2008-03-04 18:11 63630 ----a-w c:\users\Callum\AppData\Roaming\nvModes.dat
2009-04-30 21:02 . 2009-04-30 21:02 4224 ----a-w c:\windows\system32\drivers\nvBridge.kmd
2009-04-30 21:02 . 2007-12-11 16:40 7593472 ----a-w c:\windows\system32\nvd3dum.dll
2009-04-30 21:02 . 2007-12-11 16:40 983552 ----a-w c:\windows\system32\nvapi.dll
2009-04-26 08:32 . 2007-12-11 16:52 457248 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-18 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-02 22:24 . 2009-04-02 22:04 -------- d-----w c:\program files\TABLET
2009-04-02 17:32 . 2008-03-16 10:21 -------- d-----w c:\program files\GIMP-2.0
2009-03-23 17:37 . 2008-03-04 17:30 129640 ----a-w c:\users\Callum\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-22 22:11 . 2009-03-22 22:11 -------- d-----w c:\program files\JRE
2009-03-22 22:10 . 2008-12-22 20:14 -------- d-----w c:\program files\OpenOffice.org 3
2009-03-15 14:14 . 2008-03-06 19:44 -------- d-----w c:\program files\Windows Live
2009-03-14 20:27 . 2009-03-01 22:34 34 ----a-w c:\users\Callum\jagex_runescape_preferences.dat
2009-03-03 04:46 . 2009-04-17 16:27 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 16:27 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 16:27 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 16:27 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 16:27 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 16:27 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 16:27 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 16:27 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 16:27 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 16:27 17408 ----a-w c:\windows\system32\iashost.exe
2008-04-02 08:53 . 2008-04-02 08:53 604 ---ha-w c:\program files\STLL Notifier
2008-03-23 16:15 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-09-10 13:49 . 2008-09-10 13:49 5817064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((( [email protected]_18.01.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-10 16:57 . 2009-05-10 16:57 62976 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90RUS.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 46080 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90KOR.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 46592 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90JPN.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 64512 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90ITA.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 66048 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90FRA.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 65024 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90ESP.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 65024 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90ESN.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 56832 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90ENU.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 66560 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90DEU.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 39936 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90CHT.DLL
+ 2009-05-10 16:57 . 2009-05-10 16:57 38912 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90CHS.DLL
+ 2009-05-10 16:56 . 2009-05-10 16:56 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfcm90u.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfcm90.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 80896 c:\windows\winsxs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e\mfcm90ud.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 80896 c:\windows\winsxs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e\mfcm90d.dll
+ 2007-12-11 18:58 . 2009-05-13 19:29 72992 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-13 19:29 82602 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-04 17:29 . 2009-05-13 19:29 12492 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-876949166-2356526091-556372466-1003_UserData.bin
+ 2009-05-08 21:41 . 2009-02-05 20:06 51376 c:\windows\System32\drivers\aswTdi.sys
+ 2009-05-08 21:41 . 2009-02-05 20:06 23152 c:\windows\System32\drivers\aswRdr.sys
+ 2009-05-08 21:41 . 2009-02-05 20:07 20560 c:\windows\System32\drivers\aswFsBlk.sys
+ 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-08 17:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-08 17:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-04 17:51 . 2009-05-08 17:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-13 19:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-08 21:41 . 2009-02-05 20:04 97480 c:\windows\System32\AvastSS.scr
+ 2008-03-06 21:38 . 2009-05-12 21:37 7642 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-03-31 19:51 . 2009-05-10 17:22 1856 c:\windows\System32\WDI\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}.bin
+ 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-05 06:56 . 2009-05-05 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-05 06:56 . 2009-05-05 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-10 16:57 . 2009-05-10 16:57 875520 c:\windows\winsxs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\msvcp90d.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 312832 c:\windows\winsxs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\msvcm90d.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 655872 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcr90.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 572928 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcp90.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 225280 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcm90.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 161784 c:\windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e\ATL90.dll
+ 2008-01-12 09:14 . 2009-05-13 17:35 409272 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-01-12 05:36 . 2009-05-09 10:31 231182 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-05-13 19:34 688394 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-13 19:34 140112 c:\windows\System32\perfc009.dat
+ 2009-04-30 21:02 . 2009-04-30 21:02 457248 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvudisp.exe
+ 2009-04-30 21:02 . 2009-04-30 21:02 663552 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvcuvid.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 143360 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvcod.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 983552 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvapi.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 795104 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\dpinst.exe
+ 2009-05-08 21:41 . 2009-02-05 20:07 114768 c:\windows\System32\drivers\aswSP.sys
- 2008-11-09 21:52 . 2008-11-09 21:52 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2008-11-09 21:52 . 2009-05-08 18:14 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2009-05-10 16:56 . 2009-05-10 16:56 3783672 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfc90u.dll
+ 2009-05-10 16:56 . 2009-05-10 16:56 3768312 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfc90.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 5982720 c:\windows\winsxs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e\mfc90ud.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 5937144 c:\windows\winsxs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e\mfc90d.dll
+ 2009-05-10 16:57 . 2009-05-10 16:57 1180672 c:\windows\winsxs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb\msvcr90d.dll
+ 2006-11-02 10:22 . 2009-05-10 17:18 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-04-18 02:27 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-04-30 21:02 . 2009-04-30 21:02 3128320 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvwgf2um.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 9850016 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvlddmkm.sys
+ 2009-04-30 21:02 . 2009-04-30 21:02 7593472 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvd3dum.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 1314816 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvcuvenc.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 1704960 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvcuda.dll
+ 2009-05-08 21:41 . 2009-02-05 20:11 1256296 c:\windows\System32\aswBoot.exe
+ 2009-04-30 21:02 . 2009-04-30 21:02 10366976 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\nvoglv32.dll
+ 2009-04-30 21:02 . 2009-04-30 21:02 38177933 c:\windows\System32\DriverStore\FileRepository\nvsm.inf_7199c111\NvCplSetupInt.exe
+ 2008-10-15 00:42 . 2008-10-15 00:42 13219184 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7448A3100000030\8.1.3\AcroRd32.dll
+ 2008-03-09 19:59 . 2009-05-10 16:57 211128274 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-19 49664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-01 39408]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-13 4702208]
"WTClient"="WTClient.exe" - c:\windows\System32\WTClient.exe [2007-04-11 40960]

c:\users\Callum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll c:\progra~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5CC75033-716D-46AA-BEB2-12E44B2A5697}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{7BE7CE12-7315-4CA5-8979-4ECBB5780E8D}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C7401F28-DF48-4124-93AD-D591B4FDB418}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{E4C5119A-AE39-4C6F-BA29-E6BC2284B08B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2B66DFC3-984F-4A64-9427-CB4EC60C321C}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{DADB0108-E6C9-4388-AF7E-A7DD83279247}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{65747B66-4404-443C-AD0D-3EB775013C17}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D48CBDD0-67F6-4492-B958-79227CB6B86D}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{CB2C4E30-7DC1-47C2-8F83-4B013198EBF3}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{DE03F094-EFAD-4AE2-B045-1528EE6E5510}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{2DD94CB1-C2E9-404F-BA0F-28C6DCBBF3B4}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F59E8879-B080-44A8-AC48-5C47D7A78C03}"= UDP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{42D7774A-F8D3-40D7-8534-900CC445832B}"= TCP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{86673FB9-6D12-4928-BC62-FAF56948CE21}"= UDP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{DFE23BC6-76D6-42BA-81AF-ED7B0CD982BC}"= TCP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{F1F46A5C-72F7-4C47-B495-939D591D295C}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{6E7D07AE-5361-4ECC-AC8A-6EB9EB68937A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{26D07211-DD59-4CAF-9424-6983A0428AF6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{909B0815-BB16-44B9-A767-2A212165B4C8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{B5704BF0-F987-47DC-80BC-D09821FA2B62}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= UDP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"UDP Query User{28F0D755-2B89-42D1-A8E5-DDC049469CAE}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= TCP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"TCP Query User{FB273DF2-38AB-4DA0-9E36-7682145C2964}c:\\program files\\ufoai-2.2.1\\ufo.exe"= UDP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"UDP Query User{3D166725-70CD-4D51-B314-976061309409}c:\\program files\\ufoai-2.2.1\\ufo.exe"= TCP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"TCP Query User{5618077E-F324-4339-B6E9-E379DC5411B6}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{5B67792B-5072-405D-A327-E05AAED8727B}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"TCP Query User{841B843D-F43A-46F6-96D3-50560E683ED5}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8AB03A1C-ACD3-439E-B51E-B1F1BDC2A40C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B80DBE4D-AEF2-468C-8F0D-52DD8D10B28D}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{B0FA516D-29DA-4D4E-AA8E-5B62457722C8}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"{1668EAE1-1002-4299-8B69-0704AB10AA3B}"= UDP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{878DE718-35AE-4C12-8F00-FB8CE48A7778}"= TCP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{C37382C8-DF19-41C2-B1D0-A0C8A8022D3B}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{9971E6CB-6C9F-4D85-8725-806F5496EF2B}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{019B9154-4D3A-4D58-9D14-5BC041CC9AF0}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{07CC9591-AE5A-464C-9C19-DD43065BD8EC}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{08FC54E3-220C-4C86-974D-ED6491453CAA}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{C23E438B-01CE-4416-9D8C-E53029AFB5CC}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{4F44CB3D-AB4C-44F0-9BC3-4BE81A9808A5}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{15081D50-64FC-45A2-BA0A-15AD88D7F91B}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{14EF1673-B895-4E7C-83A5-882CC7A5CD98}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{89884B7C-7337-4BF5-A2E3-0770BD6931C0}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{08327DD8-C9E9-46CC-BAFD-D48B41D84404}"= UDP:60558:utor
"{317D5F80-0AB9-4450-8905-AB0C64D64790}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{7806D0BC-0999-4580-88BD-AEB4F99B83EA}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{12EBD979-66B2-4E0F-8A3C-8409584A916D}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{1C96F153-F3CD-4021-B7B8-D8DB36334808}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{5F9B0AE9-1C4A-4D57-A912-A6DDC1E5E85C}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{A962DB6D-236C-4CAF-8B6D-F7690B13E33C}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{F74A162E-0E05-4E3A-97EE-E4E93F6D2A3F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{E7D42BA6-CCDE-44FE-9FDA-66042E88B8CB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{38E67F5F-BD38-462B-B94C-67E92FB6C5BC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{86A2CC57-9E3E-4CD3-A41E-27C23309D684}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B1336EA1-7F2B-4E14-9893-2951D7E096CD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2E7D6B32-ED1D-4DAE-ABA3-9BDF23F2E432}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{DB55F700-B74C-424C-8E89-744A7D83D5AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CCD62AF-F9E7-4A2C-BA3C-8928BA715B40}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{40DFB82C-3720-4BD0-8398-D757A2E71BA8}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"TCP Query User{3F7974D7-3FA1-4E49-91DA-F41B940B0B76}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{6BDF6E4A-3871-4180-B3C2-BD466C6B2C31}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{EB453DC7-4C4A-4DB7-8566-87F810F244D2}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E73924F7-3212-4CED-8895-3853FE64F7C2}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [08/05/2009 22:41 114768]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [04/04/2007 14:59 20760]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [08/05/2009 22:41 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [08/05/2009 22:41 51792]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [11/12/2007 18:01 13312]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\System32\drivers\PTSimBus.sys [02/04/2009 23:04 18944]
S2 0285861213634572mcinstcleanup;0285861213634572mcinstcleanup; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [02/11/2006 11:25 2589184]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\System32\drivers\PTSimHid.sys [02/04/2009 23:04 10752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/04/2009 19:19 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f650626-eea9-11dd-95bf-0013776774c9}]
\shell\Autoplay\command - F:\autorun.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\autorun.exe
\shell\explore\Command - F:\autorun.exe
\shell\Open\Command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8445d00-f7e3-11dd-b66d-806e6f6e6963}]
\shell\AutoRun\command - E:\FalloutLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8e2abd2-c232-11dc-90cf-0013776774c9}]
\shell\Autoplay\command - usb_installer.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL usb_installer.exe
\shell\explore\Command - usb_installer.exe
\shell\Open\Command - usb_installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd05c235-0cd5-11de-8ffa-001377b2eeb9}]
\shell\Autoplay\command - usb_smss.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL usb_smss.exe
\shell\explore\Command - usb_smss.exe
\shell\Open\Command - usb_smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d70711ba-ba70-11dd-82d8-0013776774c9}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f40a79f7-ec6d-11dc-9a19-0013776774c9}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-05-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-07 22:00]

2009-05-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2008-10-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-05-13 c:\windows\Tasks\SupBackGroundTask.job
- c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe [2008-09-25 17:34]

2009-05-12 c:\windows\Tasks\User_Feed_Synchronization-{A68B820F-5236-4501-B7B7-188E2FCAF47E}.job
- c:\windows\system32\msfeedssync.exe [2008-03-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Callum\AppData\Roaming\Mozilla\Firefox\Profiles\oe8xlfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 20:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0FC44936-1475-A87F-62E3-613A08971526}*]
"bbllbjpcgpkapojbgochhhbpkgpnpgmnkkok"=hex:61,61,00,00
"abllbjpcgpkapojbgonhjmkecocifnggmk"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:51,85,f4,a1,88,8c,4a,b8,9c,6b,6b,5b,f7,98,d4,ef,23,ac,70,ae,63,95,3f,
68,ca,82,09,86,f5,f9,78,e1,c0,e1,eb,4a,3e,a4,20,93,ca,5a,d9,75,f2,a4,61,4a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\License information*]
"datasecu"=hex:fa,e8,f1,7c,ad,ce,79,ac,00,a4,b2,7b,13,52,ae,81,d7,a2,11,ab,e2,
1e,af,32,0d,27,f9,ec,72,0f,9d,be,0d,7f,ea,74,2d,ae,2d,b1,8c,9b,9d,69,3b,16,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5908)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
Completion time: 2009-05-13 20:42
ComboFix-quarantined-files.txt 2009-05-13 19:42
ComboFix2.txt 2009-05-08 18:03

Pre-Run: 31,410,601,984 bytes free
Post-Run: 31,413,809,152 bytes free

410 --- E O F --- 2009-05-05 02:04



Thanks for your help :)
 
Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#4 ·
Hello, cw99388 :)
I couldn't run the MBR.exe, when I tried it flashed up with a black console and then disappeared.
Click to expand...
That's all it's supposed to do. It should create a log in the same folder as the tool. Please check and see if that log is there....

Billy3
 
Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#6 ·
Hello, cw99388 :)
We need to re-run ComboFix with some additonal directives.
  1. Please disable any running anti-virus programs.
    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  4. Open notepad and copy/paste the text in the quotebox below into it:
    Code: 
    firefox::
FF - ProfilePath - c:\users\Callum\AppData\Roaming\Mozilla\Firefox\Profiles\oe8xlfcq.default\
FF - prefs.js: network.proxy.type - 4
driver::
0285861213634572mcinstcleanup
regnull::
[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0FC44936-1475-A87F-62E3-613A08971526}*]
reglockdel::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
  5. Save this as CFScript.txt, in the same location as ComboFix.exe
  6.

    Refering to the picture above, drag CFScript into ComboFix.exe
  7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt
Billy3
 
C

·
Registered
Joined
·
7 Posts
Discussion Starter · #7 ·
Here you go...

Thanks :)


ComboFix 09-05-13.01 - Callum 15/05/2009 17:44.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1144 [GMT 1:00]
Running from: c:\users\Callum\Downloads\ComboFix.exe
Command switches used :: c:\users\Callum\Downloads\cfscript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_0285861213634572mcinstcleanup


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-10 17:47 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:57 . 2009-05-10 16:57 -------- d-----w c:\program files\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\programdata\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\users\All Users\Lavasoft
2009-05-10 16:52 . 2009-05-10 16:52 -------- d-----w C:\NVIDIA
2009-05-08 21:41 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-05-08 21:41 . 2003-03-18 19:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 21:41 . 2009-05-08 21:41 -------- d-----w c:\program files\Alwil Software
2009-05-03 15:57 . 2009-05-03 15:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-30 21:02 . 2009-04-30 21:02 9850016 ----a-w c:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 21:02 . 2009-04-30 21:02 795104 ----a-w c:\windows\system32\dpinst.exe
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod146.dll
2009-04-30 21:02 . 2009-04-30 21:02 1704960 ----a-w c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 10366976 ----a-w c:\windows\system32\nvoglv32.dll
2009-04-30 21:02 . 2009-04-30 21:02 457248 ----a-w c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2009-04-30 21:02 3128320 ----a-w c:\windows\system32\nvwgf2um.dll
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\users\Callum\AppData\Local\Evernote
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\program files\Evernote
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\programdata\PopCap
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\users\All Users\PopCap
2009-04-26 08:34 . 2009-04-26 08:34 -------- d-----w c:\program files\PopCap Games
2009-04-23 20:42 . 2009-04-23 20:42 -------- d-----w c:\users\Callum\.phet
2009-04-23 20:28 . 2009-05-04 21:06 -------- d-----w c:\users\Callum\AppData\Roaming\Juniper Networks
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-18 20:56 . 2009-04-28 21:08 -------- d-----w c:\program files\Spyware Terminator
2009-04-17 16:26 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 16:26 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-17 16:26 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-17 16:26 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-17 16:24 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-17 16:24 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-17 16:24 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Pinnacle
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Steinberg
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\programdata\Pinnacle
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\users\All Users\Pinnacle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 16:56 . 2008-06-16 07:12 42018848 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-15 16:53 . 2008-06-16 07:12 565772 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-15 16:52 . 2007-12-11 16:48 12 ----a-w c:\windows\bthservsdp.dat
2009-05-10 17:04 . 2008-08-28 15:22 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-10 17:03 . 2008-08-28 15:23 -------- d-----w c:\program files\AGEIA Technologies
2009-05-10 16:59 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infpub.dat
2009-05-10 16:59 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-05-10 16:58 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstor.dat
2009-05-10 14:41 . 2008-10-28 10:21 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-09 21:06 . 2009-03-13 23:39 -------- d-----w c:\program files\StumbleUpon
2009-05-08 19:56 . 2007-12-11 16:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-08 19:54 . 2009-02-27 18:11 -------- d-----w c:\program files\ZC2.10
2009-05-08 19:53 . 2008-03-25 18:12 -------- d-----w c:\program files\Electronic Arts
2009-05-08 19:50 . 2008-03-20 11:37 -------- d-----w c:\program files\Sibelius Software
2009-05-08 19:45 . 2008-10-29 17:12 -------- d-----w c:\program files\LimeWire
2009-05-08 18:12 . 2008-05-20 20:05 7592 ----a-w c:\users\Callum\AppData\Local\d3d9caps.dat
2009-05-06 19:16 . 2008-03-04 18:11 63630 ----a-w c:\users\Callum\AppData\Roaming\nvModes.dat
2009-04-30 21:02 . 2009-04-30 21:02 4224 ----a-w c:\windows\system32\drivers\nvBridge.kmd
2009-04-30 21:02 . 2007-12-11 16:40 7593472 ----a-w c:\windows\system32\nvd3dum.dll
2009-04-30 21:02 . 2007-12-11 16:40 983552 ----a-w c:\windows\system32\nvapi.dll
2009-04-26 08:32 . 2007-12-11 16:52 457248 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-18 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-02 22:24 . 2009-04-02 22:04 -------- d-----w c:\program files\TABLET
2009-04-02 17:32 . 2008-03-16 10:21 -------- d-----w c:\program files\GIMP-2.0
2009-03-23 17:37 . 2008-03-04 17:30 129640 ----a-w c:\users\Callum\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-22 22:11 . 2009-03-22 22:11 -------- d-----w c:\program files\JRE
2009-03-22 22:10 . 2008-12-22 20:14 -------- d-----w c:\program files\OpenOffice.org 3
2009-03-14 20:27 . 2009-03-01 22:34 34 ----a-w c:\users\Callum\jagex_runescape_preferences.dat
2009-03-03 04:46 . 2009-04-17 16:27 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 16:27 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 16:27 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 16:27 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 16:27 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 16:27 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 16:27 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 16:27 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 16:27 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 16:27 17408 ----a-w c:\windows\system32\iashost.exe
2008-04-02 08:53 . 2008-04-02 08:53 604 ---ha-w c:\program files\STLL Notifier
2008-03-23 16:15 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-09-10 13:49 . 2008-09-10 13:49 5817064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-05-13_19.40.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-11 18:58 . 2009-05-13 19:50 73056 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-15 16:58 83206 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-04 17:29 . 2009-05-15 16:58 12808 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-876949166-2356526091-556372466-1003_UserData.bin
+ 2008-03-04 17:51 . 2009-05-15 16:54 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-15 16:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-15 16:54 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-15 16:53 . 2009-05-15 16:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-15 16:53 . 2009-05-15 16:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-01-12 09:14 . 2009-05-15 16:30 413184 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2006-11-02 10:33 . 2009-05-13 19:52 684472 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-13 19:52 136190 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-19 49664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-01 39408]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-13 4702208]
"WTClient"="WTClient.exe" - c:\windows\System32\WTClient.exe [2007-04-11 40960]

c:\users\Callum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll c:\progra~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5CC75033-716D-46AA-BEB2-12E44B2A5697}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{7BE7CE12-7315-4CA5-8979-4ECBB5780E8D}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C7401F28-DF48-4124-93AD-D591B4FDB418}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{E4C5119A-AE39-4C6F-BA29-E6BC2284B08B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2B66DFC3-984F-4A64-9427-CB4EC60C321C}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{DADB0108-E6C9-4388-AF7E-A7DD83279247}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{65747B66-4404-443C-AD0D-3EB775013C17}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D48CBDD0-67F6-4492-B958-79227CB6B86D}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{CB2C4E30-7DC1-47C2-8F83-4B013198EBF3}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{DE03F094-EFAD-4AE2-B045-1528EE6E5510}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{2DD94CB1-C2E9-404F-BA0F-28C6DCBBF3B4}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F59E8879-B080-44A8-AC48-5C47D7A78C03}"= UDP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{42D7774A-F8D3-40D7-8534-900CC445832B}"= TCP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{86673FB9-6D12-4928-BC62-FAF56948CE21}"= UDP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{DFE23BC6-76D6-42BA-81AF-ED7B0CD982BC}"= TCP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{F1F46A5C-72F7-4C47-B495-939D591D295C}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{6E7D07AE-5361-4ECC-AC8A-6EB9EB68937A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{26D07211-DD59-4CAF-9424-6983A0428AF6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{909B0815-BB16-44B9-A767-2A212165B4C8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{B5704BF0-F987-47DC-80BC-D09821FA2B62}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= UDP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"UDP Query User{28F0D755-2B89-42D1-A8E5-DDC049469CAE}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= TCP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"TCP Query User{FB273DF2-38AB-4DA0-9E36-7682145C2964}c:\\program files\\ufoai-2.2.1\\ufo.exe"= UDP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"UDP Query User{3D166725-70CD-4D51-B314-976061309409}c:\\program files\\ufoai-2.2.1\\ufo.exe"= TCP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"TCP Query User{5618077E-F324-4339-B6E9-E379DC5411B6}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{5B67792B-5072-405D-A327-E05AAED8727B}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"TCP Query User{841B843D-F43A-46F6-96D3-50560E683ED5}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8AB03A1C-ACD3-439E-B51E-B1F1BDC2A40C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B80DBE4D-AEF2-468C-8F0D-52DD8D10B28D}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{B0FA516D-29DA-4D4E-AA8E-5B62457722C8}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"{1668EAE1-1002-4299-8B69-0704AB10AA3B}"= UDP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{878DE718-35AE-4C12-8F00-FB8CE48A7778}"= TCP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{C37382C8-DF19-41C2-B1D0-A0C8A8022D3B}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{9971E6CB-6C9F-4D85-8725-806F5496EF2B}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{019B9154-4D3A-4D58-9D14-5BC041CC9AF0}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{07CC9591-AE5A-464C-9C19-DD43065BD8EC}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{08FC54E3-220C-4C86-974D-ED6491453CAA}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{C23E438B-01CE-4416-9D8C-E53029AFB5CC}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{4F44CB3D-AB4C-44F0-9BC3-4BE81A9808A5}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{15081D50-64FC-45A2-BA0A-15AD88D7F91B}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{14EF1673-B895-4E7C-83A5-882CC7A5CD98}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{89884B7C-7337-4BF5-A2E3-0770BD6931C0}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{08327DD8-C9E9-46CC-BAFD-D48B41D84404}"= UDP:60558:utor
"{317D5F80-0AB9-4450-8905-AB0C64D64790}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{7806D0BC-0999-4580-88BD-AEB4F99B83EA}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{12EBD979-66B2-4E0F-8A3C-8409584A916D}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{1C96F153-F3CD-4021-B7B8-D8DB36334808}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{5F9B0AE9-1C4A-4D57-A912-A6DDC1E5E85C}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{A962DB6D-236C-4CAF-8B6D-F7690B13E33C}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{F74A162E-0E05-4E3A-97EE-E4E93F6D2A3F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{E7D42BA6-CCDE-44FE-9FDA-66042E88B8CB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{38E67F5F-BD38-462B-B94C-67E92FB6C5BC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{86A2CC57-9E3E-4CD3-A41E-27C23309D684}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B1336EA1-7F2B-4E14-9893-2951D7E096CD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2E7D6B32-ED1D-4DAE-ABA3-9BDF23F2E432}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{DB55F700-B74C-424C-8E89-744A7D83D5AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CCD62AF-F9E7-4A2C-BA3C-8928BA715B40}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{40DFB82C-3720-4BD0-8398-D757A2E71BA8}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"TCP Query User{3F7974D7-3FA1-4E49-91DA-F41B940B0B76}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{6BDF6E4A-3871-4180-B3C2-BD466C6B2C31}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{EB453DC7-4C4A-4DB7-8566-87F810F244D2}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E73924F7-3212-4CED-8895-3853FE64F7C2}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [08/05/2009 22:41 114768]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [04/04/2007 14:59 20760]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [08/05/2009 22:41 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [08/05/2009 22:41 51792]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [11/12/2007 18:01 13312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\System32\drivers\PTSimBus.sys [02/04/2009 23:04 18944]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [02/11/2006 11:25 2589184]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\System32\drivers\PTSimHid.sys [02/04/2009 23:04 10752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/04/2009 19:19 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f650626-eea9-11dd-95bf-0013776774c9}]
\shell\Autoplay\command - F:\autorun.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\autorun.exe
\shell\explore\Command - F:\autorun.exe
\shell\Open\Command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8445d00-f7e3-11dd-b66d-806e6f6e6963}]
\shell\AutoRun\command - E:\FalloutLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8e2abd2-c232-11dc-90cf-0013776774c9}]
\shell\Autoplay\command - usb_installer.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL usb_installer.exe
\shell\explore\Command - usb_installer.exe
\shell\Open\Command - usb_installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd05c235-0cd5-11de-8ffa-001377b2eeb9}]
\shell\Autoplay\command - usb_smss.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL usb_smss.exe
\shell\explore\Command - usb_smss.exe
\shell\Open\Command - usb_smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d70711ba-ba70-11dd-82d8-0013776774c9}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f40a79f7-ec6d-11dc-9a19-0013776774c9}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-05-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-07 22:00]

2009-05-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2008-10-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-05-15 c:\windows\Tasks\SupBackGroundTask.job
- c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe [2008-09-25 17:34]

2009-05-14 c:\windows\Tasks\User_Feed_Synchronization-{A68B820F-5236-4501-B7B7-188E2FCAF47E}.job
- c:\windows\system32\msfeedssync.exe [2008-03-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Callum\AppData\Roaming\Mozilla\Firefox\Profiles\oe8xlfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 17:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:51,85,f4,a1,88,8c,4a,b8,9c,6b,6b,5b,f7,98,d4,ef,23,ac,70,ae,63,95,3f,
68,ca,82,09,86,f5,f9,78,e1,c0,e1,eb,4a,3e,a4,20,93,ca,5a,d9,75,f2,a4,61,4a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\License information*]
"datasecu"=hex:fa,e8,f1,7c,ad,ce,79,ac,00,a4,b2,7b,13,52,ae,81,d7,a2,11,ab,e2,
1e,af,32,0d,27,f9,ec,72,0f,9d,be,0d,7f,ea,74,2d,ae,2d,b1,8c,9b,9d,69,3b,16,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5380)
c:\windows\system32\btncopy.dll
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\drivers\WTSrv.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Samsung\Samsung Recovery Solution II\WCScheduler.exe
c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
c:\windows\System32\conime.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2009-05-15 18:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 17:04
ComboFix2.txt 2009-05-13 19:42
ComboFix3.txt 2009-05-08 18:03

Pre-Run: 31,288,803,328 bytes free
Post-Run: 30,752,800,768 bytes free

370 --- E O F --- 2009-05-05 02:04
 
Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#8 ·
Hello, cw99388 :)
I'm sorry... missed a few lines. Are things any better with your browsers?

We need to re-run ComboFix with some additonal directives.
  1. Please disable any running anti-virus programs.
    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  4. Open notepad and copy/paste the text in the quotebox below into it:
    Code: 
    registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8e2abd2-c232-11dc-90cf-0013776774c9}]
[-HKEY_CLASSES_ROOT\CLSID\{b8e2abd2-c232-11dc-90cf-0013776774c9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd05c235-0cd5-11de-8ffa-001377b2eeb9}]
[-HKEY_CLASSES_ROOT\CLSID\{bd05c235-0cd5-11de-8ffa-001377b2eeb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f650626-eea9-11dd-95bf-0013776774c9}]
[-HKEY_CLASSES_ROOT\CLSID\{1f650626-eea9-11dd-95bf-0013776774c9}]
file::
F:\autorun.exe
  5. Save this as CFScript.txt, in the same location as ComboFix.exe
  6.

    Refering to the picture above, drag CFScript into ComboFix.exe
  7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  1. Please go to ESET OnlineScan (NOD32)
  2. You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  3. Now click Start
  4. Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  5. Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  6. To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  7. Press Scan
  8. The Onlinescan will now start and scan your pc (this could take a while)
  9. When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  10. Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  11. The Scanresults will now open in Notepad
  12. Click into the text area, right-click and chose "select all" (or use <Control>+A)
  13. Right-click again and chose "Copy" (or <Control>+C)
  14. Close/Exit Notepad
  15. Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log
Billy3
 
C

·
Registered
Joined
·
7 Posts
Discussion Starter · #9 ·
My browsers are still playing up. Also I couldn't get onto eset.com, either through your link or from going to the main page. Clicking on your link came up with "This document contains no data. The network link was interrupted while negotiating a connection. Please try again."

This happened on both Firefox and IE.

However here is the combofix log:



ComboFix 09-05-15.06 - Callum 16/05/2009 14:12.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1047 [GMT 1:00]
Running from: c:\users\Callum\Downloads\ComboFix.exe
Command switches used :: c:\users\Callum\Downloads\cfscript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
F:\autorun.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-10 17:47 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:58 . 2009-05-10 16:59 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 16:57 . 2009-05-10 16:57 -------- d-----w c:\program files\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\programdata\Lavasoft
2009-05-10 16:57 . 2009-05-10 17:19 -------- d-----w c:\users\All Users\Lavasoft
2009-05-10 16:52 . 2009-05-10 16:52 -------- d-----w C:\NVIDIA
2009-05-08 21:41 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-05-08 21:41 . 2003-03-18 19:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-08 21:41 . 2009-05-08 21:41 -------- d-----w c:\program files\Alwil Software
2009-05-03 15:57 . 2009-05-03 15:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-30 21:02 . 2009-04-30 21:02 9850016 ----a-w c:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 21:02 . 2009-04-30 21:02 795104 ----a-w c:\windows\system32\dpinst.exe
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod.dll
2009-04-30 21:02 . 2009-04-30 21:02 143360 ----a-w c:\windows\system32\nvcod146.dll
2009-04-30 21:02 . 2009-04-30 21:02 1704960 ----a-w c:\windows\system32\nvcuda.dll
2009-04-30 21:02 . 2009-04-30 21:02 1314816 ----a-w c:\windows\system32\nvcuvenc.dll
2009-04-30 21:02 . 2009-04-30 21:02 663552 ----a-w c:\windows\system32\nvcuvid.dll
2009-04-30 21:02 . 2009-04-30 21:02 10366976 ----a-w c:\windows\system32\nvoglv32.dll
2009-04-30 21:02 . 2009-04-30 21:02 457248 ----a-w c:\windows\system32\nvudisp.exe
2009-04-30 21:02 . 2009-04-30 21:02 3128320 ----a-w c:\windows\system32\nvwgf2um.dll
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\users\Callum\AppData\Local\Evernote
2009-04-29 18:31 . 2009-04-29 18:31 -------- d-----w c:\program files\Evernote
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\programdata\PopCap
2009-04-26 08:35 . 2009-04-26 08:35 -------- d-----w c:\users\All Users\PopCap
2009-04-26 08:34 . 2009-04-26 08:34 -------- d-----w c:\program files\PopCap Games
2009-04-23 20:42 . 2009-04-23 20:42 -------- d-----w c:\users\Callum\.phet
2009-04-23 20:28 . 2009-05-04 21:06 -------- d-----w c:\users\Callum\AppData\Roaming\Juniper Networks
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-18 22:31 . 2009-04-18 22:31 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-18 20:56 . 2009-04-28 21:08 -------- d-----w c:\program files\Spyware Terminator
2009-04-17 16:26 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 16:26 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-17 16:26 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-17 16:26 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
2009-04-17 16:24 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-17 16:24 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-17 16:24 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Pinnacle
2009-04-16 20:20 . 2009-04-16 20:20 -------- d-----w c:\program files\Steinberg
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\programdata\Pinnacle
2009-04-16 20:18 . 2009-04-16 20:18 -------- d-----w c:\users\All Users\Pinnacle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 13:12 . 2008-06-16 07:12 42448928 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-15 17:07 . 2008-06-16 07:12 566180 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-15 17:07 . 2007-12-11 16:48 12 ----a-w c:\windows\bthservsdp.dat
2009-05-10 17:04 . 2008-08-28 15:22 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-10 17:03 . 2008-08-28 15:23 -------- d-----w c:\program files\AGEIA Technologies
2009-05-10 14:41 . 2008-10-28 10:21 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-09 21:06 . 2009-03-13 23:39 -------- d-----w c:\program files\StumbleUpon
2009-05-08 19:56 . 2007-12-11 16:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-08 19:54 . 2009-02-27 18:11 -------- d-----w c:\program files\ZC2.10
2009-05-08 19:53 . 2008-03-25 18:12 -------- d-----w c:\program files\Electronic Arts
2009-05-08 19:50 . 2008-03-20 11:37 -------- d-----w c:\program files\Sibelius Software
2009-05-08 19:45 . 2008-10-29 17:12 -------- d-----w c:\program files\LimeWire
2009-05-08 18:12 . 2008-05-20 20:05 7592 ----a-w c:\users\Callum\AppData\Local\d3d9caps.dat
2009-05-06 19:16 . 2008-03-04 18:11 63630 ----a-w c:\users\Callum\AppData\Roaming\nvModes.dat
2009-04-30 21:02 . 2009-04-30 21:02 4224 ----a-w c:\windows\system32\drivers\nvBridge.kmd
2009-04-30 21:02 . 2007-12-11 16:40 7593472 ----a-w c:\windows\system32\nvd3dum.dll
2009-04-30 21:02 . 2007-12-11 16:40 983552 ----a-w c:\windows\system32\nvapi.dll
2009-04-26 08:32 . 2007-12-11 16:52 457248 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-18 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-02 22:24 . 2009-04-02 22:04 -------- d-----w c:\program files\TABLET
2009-04-02 17:32 . 2008-03-16 10:21 -------- d-----w c:\program files\GIMP-2.0
2009-03-23 17:37 . 2008-03-04 17:30 129640 ----a-w c:\users\Callum\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-22 22:11 . 2009-03-22 22:11 -------- d-----w c:\program files\JRE
2009-03-22 22:10 . 2008-12-22 20:14 -------- d-----w c:\program files\OpenOffice.org 3
2009-03-14 20:27 . 2009-03-01 22:34 34 ----a-w c:\users\Callum\jagex_runescape_preferences.dat
2009-03-03 04:46 . 2009-04-17 16:27 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 16:27 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 16:27 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 16:27 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 16:27 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 16:27 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 16:27 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 16:27 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 16:27 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 16:27 17408 ----a-w c:\windows\system32\iashost.exe
2008-04-02 08:53 . 2008-04-02 08:53 604 ---ha-w c:\program files\STLL Notifier
2008-03-23 16:15 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-09-10 13:49 . 2008-09-10 13:49 5817064 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-05-13_19.40.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-11 18:58 . 2009-05-15 17:11 73208 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-15 17:11 83230 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-04 17:29 . 2009-05-15 16:58 12808 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-876949166-2356526091-556372466-1003_UserData.bin
- 2008-03-20 13:47 . 2009-04-18 17:10 74137 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2008-03-20 13:47 . 2009-05-15 17:15 74137 c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2008-03-04 17:51 . 2009-05-16 10:47 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-16 10:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-04 17:51 . 2009-05-13 19:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-04 17:51 . 2009-05-16 10:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-15 17:08 . 2009-05-15 17:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-05-15 17:08 . 2009-05-15 17:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-13 19:27 . 2009-05-13 19:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-01-12 09:14 . 2009-05-16 10:46 413664 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2006-11-02 10:33 . 2009-05-13 19:52 684472 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-13 19:52 136190 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-19 49664]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-01 39408]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-13 4702208]
"WTClient"="WTClient.exe" - c:\windows\System32\WTClient.exe [2007-04-11 40960]

c:\users\Callum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll c:\progra~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5CC75033-716D-46AA-BEB2-12E44B2A5697}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{7BE7CE12-7315-4CA5-8979-4ECBB5780E8D}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{C7401F28-DF48-4124-93AD-D591B4FDB418}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{E4C5119A-AE39-4C6F-BA29-E6BC2284B08B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{2B66DFC3-984F-4A64-9427-CB4EC60C321C}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{DADB0108-E6C9-4388-AF7E-A7DD83279247}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{65747B66-4404-443C-AD0D-3EB775013C17}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{D48CBDD0-67F6-4492-B958-79227CB6B86D}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{CB2C4E30-7DC1-47C2-8F83-4B013198EBF3}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{DE03F094-EFAD-4AE2-B045-1528EE6E5510}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{2DD94CB1-C2E9-404F-BA0F-28C6DCBBF3B4}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F59E8879-B080-44A8-AC48-5C47D7A78C03}"= UDP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{42D7774A-F8D3-40D7-8534-900CC445832B}"= TCP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{86673FB9-6D12-4928-BC62-FAF56948CE21}"= UDP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{DFE23BC6-76D6-42BA-81AF-ED7B0CD982BC}"= TCP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{F1F46A5C-72F7-4C47-B495-939D591D295C}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{6E7D07AE-5361-4ECC-AC8A-6EB9EB68937A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{26D07211-DD59-4CAF-9424-6983A0428AF6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{909B0815-BB16-44B9-A767-2A212165B4C8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{B5704BF0-F987-47DC-80BC-D09821FA2B62}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= UDP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"UDP Query User{28F0D755-2B89-42D1-A8E5-DDC049469CAE}c:\\program files\\participatory culture foundation\\miro\\xulrunner\\python\\miro_downloader.exe"= TCP:c:\program files\participatory culture foundation\miro\xulrunner\python\miro_downloader.exe:Miro_Downloader
"TCP Query User{FB273DF2-38AB-4DA0-9E36-7682145C2964}c:\\program files\\ufoai-2.2.1\\ufo.exe"= UDP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"UDP Query User{3D166725-70CD-4D51-B314-976061309409}c:\\program files\\ufoai-2.2.1\\ufo.exe"= TCP:c:\program files\ufoai-2.2.1\ufo.exe:UFO:Alien Invasion
"TCP Query User{5618077E-F324-4339-B6E9-E379DC5411B6}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{5B67792B-5072-405D-A327-E05AAED8727B}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"TCP Query User{841B843D-F43A-46F6-96D3-50560E683ED5}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8AB03A1C-ACD3-439E-B51E-B1F1BDC2A40C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B80DBE4D-AEF2-468C-8F0D-52DD8D10B28D}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{B0FA516D-29DA-4D4E-AA8E-5B62457722C8}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"{1668EAE1-1002-4299-8B69-0704AB10AA3B}"= UDP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{878DE718-35AE-4C12-8F00-FB8CE48A7778}"= TCP:c:\hodder education\Dynamic Learning (Student Version)\Engine\DL Student.exe:Start DL Student
"{C37382C8-DF19-41C2-B1D0-A0C8A8022D3B}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{9971E6CB-6C9F-4D85-8725-806F5496EF2B}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds.exe:Two Worlds
"{019B9154-4D3A-4D58-9D14-5BC041CC9AF0}"= UDP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{07CC9591-AE5A-464C-9C19-DD43065BD8EC}"= TCP:c:\program files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:Two Worlds
"{08FC54E3-220C-4C86-974D-ED6491453CAA}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{C23E438B-01CE-4416-9D8C-E53029AFB5CC}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{4F44CB3D-AB4C-44F0-9BC3-4BE81A9808A5}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{15081D50-64FC-45A2-BA0A-15AD88D7F91B}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{14EF1673-B895-4E7C-83A5-882CC7A5CD98}"= UDP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{89884B7C-7337-4BF5-A2E3-0770BD6931C0}"= TCP:c:\program files\BitTorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{08327DD8-C9E9-46CC-BAFD-D48B41D84404}"= UDP:60558:utor
"{317D5F80-0AB9-4450-8905-AB0C64D64790}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{7806D0BC-0999-4580-88BD-AEB4F99B83EA}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{12EBD979-66B2-4E0F-8A3C-8409584A916D}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{1C96F153-F3CD-4021-B7B8-D8DB36334808}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{5F9B0AE9-1C4A-4D57-A912-A6DDC1E5E85C}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{A962DB6D-236C-4CAF-8B6D-F7690B13E33C}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{F74A162E-0E05-4E3A-97EE-E4E93F6D2A3F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{E7D42BA6-CCDE-44FE-9FDA-66042E88B8CB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{38E67F5F-BD38-462B-B94C-67E92FB6C5BC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{86A2CC57-9E3E-4CD3-A41E-27C23309D684}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B1336EA1-7F2B-4E14-9893-2951D7E096CD}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2E7D6B32-ED1D-4DAE-ABA3-9BDF23F2E432}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{DB55F700-B74C-424C-8E89-744A7D83D5AB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CCD62AF-F9E7-4A2C-BA3C-8928BA715B40}"= UDP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{40DFB82C-3720-4BD0-8398-D757A2E71BA8}"= TCP:c:\program files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"TCP Query User{3F7974D7-3FA1-4E49-91DA-F41B940B0B76}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{6BDF6E4A-3871-4180-B3C2-BD466C6B2C31}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"TCP Query User{EB453DC7-4C4A-4DB7-8566-87F810F244D2}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{E73924F7-3212-4CED-8895-3853FE64F7C2}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [08/05/2009 22:41 114768]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [04/04/2007 14:59 20760]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [08/05/2009 22:41 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [08/05/2009 22:41 51792]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\System32\drivers\KMDFMEMIO.sys [11/12/2007 18:01 13312]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\System32\drivers\PTSimBus.sys [02/04/2009 23:04 18944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [02/11/2006 11:25 2589184]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\System32\drivers\PTSimHid.sys [02/04/2009 23:04 10752]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [12/04/2009 19:19 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-05-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-07 22:00]

2009-05-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2008-10-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-05-15 c:\windows\Tasks\SupBackGroundTask.job
- c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe [2008-09-25 17:34]

2009-05-15 c:\windows\Tasks\User_Feed_Synchronization-{A68B820F-5236-4501-B7B7-188E2FCAF47E}.job
- c:\windows\system32\msfeedssync.exe [2008-03-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Callum\AppData\Roaming\Mozilla\Firefox\Profiles\oe8xlfcq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 14:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:51,85,f4,a1,88,8c,4a,b8,9c,6b,6b,5b,f7,98,d4,ef,23,ac,70,ae,63,95,3f,
68,ca,82,09,86,f5,f9,78,e1,c0,e1,eb,4a,3e,a4,20,93,ca,5a,d9,75,f2,a4,61,4a,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-876949166-2356526091-556372466-1003\Software\SecuROM\License information*]
"datasecu"=hex:fa,e8,f1,7c,ad,ce,79,ac,00,a4,b2,7b,13,52,ae,81,d7,a2,11,ab,e2,
1e,af,32,0d,27,f9,ec,72,0f,9d,be,0d,7f,ea,74,2d,ae,2d,b1,8c,9b,9d,69,3b,16,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3596)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
Completion time: 2009-05-16 14:20
ComboFix-quarantined-files.txt 2009-05-16 13:20
ComboFix2.txt 2009-05-15 17:05
ComboFix3.txt 2009-05-13 19:42
ComboFix4.txt 2009-05-08 18:03

Pre-Run: 29,281,910,784 bytes free
Post-Run: 29,294,288,896 bytes free

309 --- E O F --- 2009-05-05 02:04
 
Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#14 ·
Hello, cw99388 :)
Hoped so. Some infections out there actually infect the router which sits between your internet connection and your machine. Using OpenDNS is a way of going around your router. It's a great service anyway ;)

One more shot here... please let me know if things are better after this.

We need to re-run ComboFix with some additonal directives.
  1. Please disable any running anti-virus programs.
    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  4. Open notepad and copy/paste the text in the quotebox below into it:
    Code: 
    http://www.techsupportforum.com/f284/probably-malware-affects-browsers-firefox-ie-374401.html
firefox::
FF - ProfilePath - c:\users\Callum\AppData\Roaming\Mozilla\Firefox\Profiles\oe8xlfcq.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
collect::[54]
c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
c:\program files\Mozilla Firefox\plugins\npmusicn.dll
  5. Save this as CFScript.txt, in the same location as ComboFix.exe
  6.

    Refering to the picture above, drag CFScript into ComboFix.exe
  7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
I recomend you remove either Avast or Kaspersky.

Unless otherwise listed below, you can remove these AV programs from Add/Remove Programs.



In your next reply, please include the following:
  • ComboFix.txt
Billy3
 
Billy O'Neal

·
The Oddball Microsoftie
Joined
·
1,838 Posts
#15 ·
1 - 15 of 15 Posts
Status
Not open for further replies.
About this Discussion
14 Replies
2 Participants
Last post:
Billy O'Neal
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Recommended Communities
Community avatar for Overclocking
Overclocking
612K+ members
Community avatar for Toyota Nation Forum
Toyota Nation Forum
525K+ members
Community avatar for Tesla Bot Forum
Tesla Bot Forum
60+ members
Top