1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] google search results redirect

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by Injigo, Jan 31, 2010.

  1. Injigo

    Injigo Established Techie7 Member

    Hello, recently google search results have been redirecting. I have run HijackThis and MBAM. Here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:04:40 AM, on 1/31/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IObit\Game Booster\gbtray.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 5328 bytes

    HijackThis Uninstall log:

    7-Zip 4.65
    Acrobat.com
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    Advanced SystemCare 3
    Advertising Center
    AGEIA PhysX v7.11.13
    AIM Lite 0.33
    Alchemy Elixir
    Apple Mobile Device Support
    Apple Software Update
    Arcanum
    ATI Display Driver
    CCleaner
    City of Heroes (remove only)
    COMODO Internet Security
    Counter-Strike: Source
    Creative Live! Cam Video IM Pro Driver (1.02.02.1018)
    Day of Defeat
    Day of Defeat: Source
    Deus Ex
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    DolbyFiles
    Download Accelerator Plus (DAP)
    DVD_Generator-1.14-EN-R1
    Electricsheep Screensaver 2.7b18
    EndItAll 2.0
    ffdshow [rev 3178] [2010-01-03]
    Game Booster
    Google Earth
    Google Update Helper
    Half-Life 2: Deathmatch
    Half-Life Dedicated Server Update Tool
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP PSC & OfficeJet 5.3.B
    iTunes
    Java(TM) 6 Update 17
    LogMeIn Hamachi
    LogMeIn Hamachi
    Malwarebytes' Anti-Malware
    Media Player Classic - Home Cinema v. 1.3.1269.0
    Messenger Plus! Live
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Choice Guard
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.5.7)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MySpaceIM
    Nero ControlCenter
    Nero Installer
    neroxml
    OpenOffice.org 3.1
    Power Sound Editor Free
    QuickTime
    Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
    Segoe UI
    SiSoftware Sandra Professional Business 2009.SP2
    Skype™ 4.1
    SMPlayer 0.6.8
    SoundMAX
    SpeedFan (remove only)
    Spybot - Search & Destroy
    Spyware Doctor 6.0
    Steam
    Thoosje Quick Xp Optimizer Installer V2
    TightVNC 1.3.10
    TrackMania Nations Forever
    Uniblue DriverScanner 2009
    Uniblue DriverScanner 2009
    Uniblue RegistryBooster 2009
    Uniblue RegistryBooster 2009
    Uniblue SpeedUpMyPC 2009
    Uniblue SpeedUpMyPC 2009
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.762
    VirtualLab Client 5.7.3
    VLC media player 1.0.3
    Winamp
    Windows Installer Clean Up
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Encoder 9 Series
    Windows Media Encoder 9 Series
    Windows Media Format Runtime
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Yahoo! Messenger
    Zombie Panic! Source


    Thank you in advanced :sweatdrop
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Which browser is getting redirected?

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Injigo

    Injigo Established Techie7 Member

    Alrighty, everything seemed to go alright. Here is the ComboFix log:

    ComboFix 10-01-31.03 - les wilson 01/31/2010 16:19:11.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1693 [GMT -8:00]
    Running from: c:\documents and settings\les wilson\Desktop\ComboFix.exe
    AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\les wilson\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
    c:\windows\pthreadGC2.dll
    c:\windows\system32\SIntf16.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
    .

    2010-01-31 16:04 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
    2010-01-31 16:04 . 2006-02-28 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
    2010-01-31 16:04 . 2006-02-28 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
    2010-01-31 16:04 . 2008-04-14 00:12 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
    2010-01-31 08:04 . 2006-02-28 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
    2010-01-31 08:03 . 2006-02-28 12:00 6144 -c--a-w- c:\windows\system32\dllcache\kbd101a.dll
    2010-01-31 08:02 . 2006-02-28 12:00 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
    2010-01-31 08:01 . 2006-02-28 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
    2010-01-31 08:01 . 2006-02-28 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
    2010-01-31 08:01 . 2006-02-28 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
    2010-01-31 08:01 . 2006-02-28 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
    2010-01-31 08:01 . 2006-02-28 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
    2010-01-31 08:01 . 2006-02-28 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
    2010-01-31 08:01 . 2006-02-28 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
    2010-01-31 07:58 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
    2010-01-31 07:43 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-01-31 07:43 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-01-31 07:42 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-01-31 07:42 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-01-31 03:29 . 2010-01-31 03:29 -------- d-----w- c:\program files\CCleaner
    2010-01-31 02:59 . 2010-01-31 02:59 3584 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-01-31 02:59 . 2010-01-31 02:59 -------- d-----w- c:\program files\Windows Installer Clean Up
    2010-01-31 02:58 . 2010-01-31 02:58 -------- d-----w- c:\program files\MSECACHE
    2010-01-31 02:09 . 2010-01-31 02:09 -------- d-----w- c:\program files\Common Files\Nero
    2010-01-12 04:35 . 2010-01-21 12:17 -------- d-----w- c:\documents and settings\les wilson\Local Settings\Application Data\LogMeIn Hamachi
    2010-01-12 04:27 . 2010-01-26 09:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
    2010-01-12 04:26 . 2010-01-12 04:26 -------- d-----w- c:\program files\LogMeIn Hamachi
    2010-01-08 12:36 . 2010-01-08 12:36 -------- d-----w- c:\documents and settings\les wilson\fontconfig
    2010-01-08 12:35 . 2010-01-15 12:09 -------- d-----w- c:\documents and settings\les wilson\.smplayer
    2010-01-08 12:34 . 2010-01-08 12:35 -------- d-----w- c:\program files\SMPlayer
    2010-01-08 12:17 . 2010-01-08 12:19 -------- d-----w- c:\documents and settings\les wilson\Application Data\vlc
    2010-01-07 01:49 . 2010-01-04 06:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-01-07 01:49 . 2010-01-07 01:49 -------- d-----w- c:\program files\ffdshow
    2010-01-05 19:05 . 2010-01-05 19:05 -------- d-----w- c:\documents and settings\les wilson\Local Settings\Application Data\LogMeIn
    2010-01-05 19:05 . 2010-01-05 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
    2010-01-02 11:50 . 2010-01-02 11:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2010-01-02 06:59 . 2010-01-02 06:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2010-01-02 06:59 . 2010-01-02 07:00 -------- d-----w- c:\program files\Google

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-31 23:44 . 2009-09-13 09:50 573345 ----a-w- c:\windows\system32\drivers\sfi.dat
    2010-01-31 20:29 . 2009-06-30 23:55 -------- d-----w- c:\program files\City of Heroes
    2010-01-31 11:44 . 2009-07-07 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
    2010-01-31 09:12 . 2009-09-09 06:41 -------- d-----w- c:\program files\fool
    2010-01-31 07:56 . 2009-06-30 22:35 22720 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-01-31 04:24 . 2009-07-06 01:24 -------- d-----w- c:\documents and settings\les wilson\Application Data\uTorrent
    2010-01-31 03:58 . 2009-08-10 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-01-31 03:12 . 2009-08-10 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-31 03:11 . 2009-09-13 09:47 171552 ----a-w- c:\windows\system32\guard32.dll
    2010-01-31 03:11 . 2009-09-13 09:47 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
    2010-01-31 03:11 . 2009-09-13 09:47 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2010-01-31 03:11 . 2009-09-13 09:47 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2010-01-31 02:37 . 2009-09-09 04:23 -------- d-----w- c:\documents and settings\les wilson\Application Data\SUPERAntiSpyware.com
    2010-01-31 02:37 . 2009-07-18 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-31 02:36 . 2009-07-06 00:35 -------- d-----w- c:\program files\Steam
    2010-01-31 02:21 . 2009-08-05 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-01-26 11:30 . 2009-07-06 08:04 -------- d-----w- c:\program files\Messenger Plus! Live
    2010-01-26 09:05 . 2009-07-06 07:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-21 12:18 . 2009-09-12 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-21 09:09 . 2009-08-05 04:31 -------- d-----w- c:\documents and settings\les wilson\Application Data\Ahead
    2010-01-21 09:04 . 2009-09-12 14:24 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-15 19:28 . 2009-10-11 17:52 1 ----a-w- c:\documents and settings\les wilson\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-08 00:07 . 2009-09-12 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-08 00:07 . 2009-09-12 14:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-07 13:01 . 2009-10-08 04:51 16 ----a-w- c:\windows\popcinfo.dat
    2010-01-02 01:41 . 2009-11-12 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
    2009-12-09 01:03 . 2009-09-22 15:19 668904 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-08 22:41 . 2009-07-01 22:43 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-12-08 22:41 . 2009-12-08 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-12-08 22:41 . 2009-12-08 22:41 152576 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2009-12-03 15:31 . 2009-12-03 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
    2009-12-03 15:31 . 2009-12-03 15:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
    2009-12-03 15:23 . 2009-12-03 15:23 18424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-12-02 03:40 . 2009-12-02 03:40 21840 ----a-w- c:\windows\system32\SIntfNT.dll
    2009-12-02 03:40 . 2009-12-02 03:40 17212 ----a-w- c:\windows\system32\SIntf32.dll
    2009-12-02 03:34 . 2009-12-02 03:34 18944 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{08E9C35A-A0AE-43FA-AEA1-E4F58A87FBD1}\Icon7BD916931.exe
    2009-12-02 03:34 . 2009-12-02 03:34 11264 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{08E9C35A-A0AE-43FA-AEA1-E4F58A87FBD1}\Icon7BD91693.exe
    2009-11-30 09:23 . 2009-09-28 08:38 1892 ----a-w- c:\documents and settings\All Users\Application Data\xml2B.tmp
    2009-11-30 09:23 . 2009-10-15 04:54 13490 ----a-w- c:\documents and settings\All Users\Application Data\xml8.tmp
    2009-11-30 09:23 . 2009-09-28 08:38 4675 ----a-w- c:\documents and settings\All Users\Application Data\xml29.tmp
    2009-07-14 00:16 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-31 1800464]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-05 18:23 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TightVNC\\WinVNC.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\RpcAgentSrv.exe"=
    "d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:mad:xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:mad:xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:mad:xpsp2res.dll,-22017

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/12/2009 7:44 AM 130936]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [9/13/2009 1:47 AM 134344]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/13/2009 1:47 AM 25160]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [9/5/2009 11:00 PM 47640]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2009 3:31 AM 685816]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:59 PM 135664]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\LESWIL~1\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\LESWIL~1\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 ElanFltr;Pro Gaming Keyboard;c:\windows\system32\drivers\ElanFltr.sys [10/14/2009 6:03 PM 48128]
    S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 12:27 PM 1074568]
    S3 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe [4/29/2009 3:00 PM 98488]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/9/2009 8:55 PM 348752]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [7/13/2009 12:42 AM 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [7/13/2009 12:42 AM 500608]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 06:59]

    2010-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1960408961-682003330-1003Core.job
    - c:\documents and settings\les wilson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 23:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mWindow Title =
    IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
    IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
    IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
    Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
    Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
    FF - ProfilePath - c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - plugin: c:\documents and settings\les wilson\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Move Networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\documents and settings\les wilson\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\les wilson\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-01-31 16:25
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1202660629-1960408961-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:ba,60,90,d5,6e,1a,65,22,bb,d2,a9,56,df,84,7c,23,cb,d4,4a,5b,65,bf,22,
    9f,df,27,5a,37,f8,6e,22,f5,4b,b8,2c,6e,3a,c8,d2,ad,25,b5,65,29,58,63,f6,6f,\
    "??"=hex:57,f3,6f,7d,80,e3,a9,f6,e3,91,56,0e,7b,62,53,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\guard32.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'lsass.exe'(872)
    c:\windows\system32\guard32.dll
    .
    Completion time: 2010-01-31 16:28:24
    ComboFix-quarantined-files.txt 2010-02-01 00:28
    ComboFix2.txt 2009-09-10 07:15

    Pre-Run: 54,401,236,992 bytes free
    Post-Run: 54,372,368,384 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 1B064557BA34BE3B23FB79D2CE8A83E3


    New HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:05:39 PM, on 2/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\IObit\Game Booster\gbtray.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264949577859
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 6391 bytes
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\All Users\Application Data\xml2B.tmp
    c:\documents and settings\All Users\Application Data\xml8.tmp
    c:\documents and settings\All Users\Application Data\xml29.tmp
    c:\docume~1\LESWIL~1\LOCALS~1\Temp\aswArKrn.sys
    
    
    Folder::
    
    Driver::
    aswArKrn
    
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  5. Injigo

    Injigo Established Techie7 Member

    ComboFix Log:

    ComboFix 10-02-07.06 - les wilson 02/07/2010 18:34:02.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1609 [GMT -8:00]
    Running from: c:\documents and settings\les wilson\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\les wilson\Desktop\CFScript.txt
    AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .

    ((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
    .

    2010-02-07 22:47 . 2010-02-07 22:47 -------- d-----w- c:\program files\Common Files\Java
    2010-02-07 22:47 . 2010-02-07 22:47 503808 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8077c6-n\msvcp71.dll
    2010-02-07 22:47 . 2010-02-07 22:47 348160 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8077c6-n\msvcr71.dll
    2010-02-07 22:47 . 2010-02-07 22:47 61440 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ac4cafd-n\decora-sse.dll
    2010-02-07 22:47 . 2010-02-07 22:47 499712 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7c8077c6-n\jmc.dll
    2010-02-07 22:47 . 2010-02-07 22:47 12800 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7ac4cafd-n\decora-d3d.dll
    2010-02-07 22:45 . 2010-02-07 22:45 79488 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
    2010-02-07 22:45 . 2010-02-07 22:45 152576 ----a-w- c:\documents and settings\les wilson\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
    2010-02-05 13:55 . 2010-02-05 13:55 -------- d-----w- c:\program files\LogMeIn Hamachi
    2010-01-31 16:04 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
    2010-01-31 16:04 . 2006-02-28 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
    2010-01-31 16:04 . 2006-02-28 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
    2010-01-31 16:04 . 2008-04-14 00:12 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
    2010-01-31 08:04 . 2006-02-28 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
    2010-01-31 08:03 . 2006-02-28 12:00 6144 -c--a-w- c:\windows\system32\dllcache\kbd101a.dll
    2010-01-31 08:02 . 2006-02-28 12:00 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
    2010-01-31 08:01 . 2006-02-28 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
    2010-01-31 08:01 . 2006-02-28 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
    2010-01-31 08:01 . 2006-02-28 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
    2010-01-31 08:01 . 2006-02-28 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
    2010-01-31 08:01 . 2006-02-28 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
    2010-01-31 08:01 . 2006-02-28 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
    2010-01-31 08:01 . 2006-02-28 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
    2010-01-31 07:58 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
    2010-01-31 07:43 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-01-31 07:43 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-01-31 07:42 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-01-31 07:42 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-01-31 03:29 . 2010-01-31 03:29 -------- d-----w- c:\program files\CCleaner
    2010-01-31 02:59 . 2010-01-31 02:59 3584 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-01-31 02:59 . 2010-01-31 02:59 -------- d-----w- c:\program files\Windows Installer Clean Up
    2010-01-31 02:58 . 2010-01-31 02:58 -------- d-----w- c:\program files\MSECACHE
    2010-01-31 02:09 . 2010-01-31 02:09 -------- d-----w- c:\program files\Common Files\Nero
    2010-01-12 04:35 . 2010-02-05 17:02 -------- d-----w- c:\documents and settings\les wilson\Local Settings\Application Data\LogMeIn Hamachi
    2010-01-12 04:27 . 2010-02-05 18:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-08 02:23 . 2010-01-08 12:17 -------- d-----w- c:\documents and settings\les wilson\Application Data\vlc
    2010-02-07 23:40 . 2010-01-02 06:59 -------- d-----w- c:\program files\Google
    2010-02-07 22:46 . 2009-07-01 22:43 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-02-07 20:41 . 2009-06-30 23:55 -------- d-----w- c:\program files\City of Heroes
    2010-02-05 17:04 . 2009-09-22 13:16 -------- d-----w- c:\documents and settings\les wilson\Application Data\Skype
    2010-02-05 16:33 . 2009-09-22 13:17 -------- d-----w- c:\documents and settings\les wilson\Application Data\skypePM
    2010-02-04 11:27 . 2009-09-13 09:50 595713 ----a-w- c:\windows\system32\drivers\sfi.dat
    2010-02-03 23:44 . 2009-09-13 09:47 171552 ----a-w- c:\windows\system32\guard32.dll
    2010-02-03 23:44 . 2009-09-13 09:47 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2010-01-31 11:44 . 2009-07-07 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
    2010-01-31 09:12 . 2009-09-09 06:41 -------- d-----w- c:\program files\fool
    2010-01-31 07:56 . 2009-06-30 22:35 22720 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-01-31 04:24 . 2009-07-06 01:24 -------- d-----w- c:\documents and settings\les wilson\Application Data\uTorrent
    2010-01-31 03:58 . 2009-08-10 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-01-31 03:12 . 2009-08-10 04:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-31 03:11 . 2009-09-13 09:47 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
    2010-01-31 03:11 . 2009-09-13 09:47 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2010-01-31 02:37 . 2009-09-09 04:23 -------- d-----w- c:\documents and settings\les wilson\Application Data\SUPERAntiSpyware.com
    2010-01-31 02:37 . 2009-07-18 01:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-31 02:36 . 2009-07-06 00:35 -------- d-----w- c:\program files\Steam
    2010-01-31 02:21 . 2009-08-05 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-01-26 11:30 . 2009-07-06 08:04 -------- d-----w- c:\program files\Messenger Plus! Live
    2010-01-26 09:05 . 2009-07-06 07:59 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-21 12:18 . 2009-09-12 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-21 09:09 . 2009-08-05 04:31 -------- d-----w- c:\documents and settings\les wilson\Application Data\Ahead
    2010-01-21 09:04 . 2009-09-12 14:24 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-15 19:28 . 2009-10-11 17:52 1 ----a-w- c:\documents and settings\les wilson\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-08 12:35 . 2010-01-08 12:34 -------- d-----w- c:\program files\SMPlayer
    2010-01-08 00:07 . 2009-09-12 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-08 00:07 . 2009-09-12 14:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-07 13:01 . 2009-10-08 04:51 16 ----a-w- c:\windows\popcinfo.dat
    2010-01-07 01:49 . 2010-01-07 01:49 -------- d-----w- c:\program files\ffdshow
    2010-01-05 19:05 . 2010-01-05 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
    2010-01-04 06:00 . 2010-01-07 01:49 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-01-02 01:41 . 2009-11-12 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
    2009-12-09 01:03 . 2009-09-22 15:19 668904 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-12-03 15:23 . 2009-12-03 15:23 18424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-12-02 03:40 . 2009-12-02 03:40 21840 ----a-w- c:\windows\system32\SIntfNT.dll
    2009-12-02 03:40 . 2009-12-02 03:40 17212 ----a-w- c:\windows\system32\SIntf32.dll
    2009-12-02 03:34 . 2009-12-02 03:34 18944 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{08E9C35A-A0AE-43FA-AEA1-E4F58A87FBD1}\Icon7BD916931.exe
    2009-12-02 03:34 . 2009-12-02 03:34 11264 ----a-r- c:\documents and settings\les wilson\Application Data\Microsoft\Installer\{08E9C35A-A0AE-43FA-AEA1-E4F58A87FBD1}\Icon7BD91693.exe
    2009-11-30 09:23 . 2009-09-28 08:38 1892 ----a-w- c:\documents and settings\All Users\Application Data\xml2B.tmp
    2009-11-30 09:23 . 2009-10-15 04:54 13490 ----a-w- c:\documents and settings\All Users\Application Data\xml8.tmp
    2009-11-30 09:23 . 2009-09-28 08:38 4675 ----a-w- c:\documents and settings\All Users\Application Data\xml29.tmp
    2009-07-14 00:16 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-02-01_00.25.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2010-02-07 23:41 . 2010-02-07 23:41 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ARPPRODUCTICON.exe
    + 2010-02-07 22:47 . 2010-02-07 22:46 153376 c:\windows\system32\javaws.exe
    - 2009-12-08 22:42 . 2009-12-08 22:42 145184 c:\windows\system32\javaw.exe
    + 2010-02-07 22:47 . 2010-02-07 22:46 145184 c:\windows\system32\javaw.exe
    + 2010-02-07 22:47 . 2010-02-07 22:46 145184 c:\windows\system32\java.exe
    - 2009-12-08 22:42 . 2009-12-08 22:42 145184 c:\windows\system32\java.exe
    + 2010-02-05 13:56 . 2010-02-05 13:56 785408 c:\windows\Installer\305fb8.msi
    + 2010-02-07 22:47 . 2010-02-07 22:47 178176 c:\windows\Installer\1834bf.msi
    + 2010-02-07 22:46 . 2010-02-07 22:46 577536 c:\windows\Installer\1834b9.msi
    + 2010-02-07 23:41 . 2010-02-07 23:41 1262080 c:\windows\Installer\4d7e71.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-31 1800464]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-05 18:23 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TightVNC\\WinVNC.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\RpcAgentSrv.exe"=
    "d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
    "d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:mad:xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:mad:xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:mad:xpsp2res.dll,-22017

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/12/2009 7:44 AM 130936]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [9/13/2009 1:47 AM 134344]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/13/2009 1:47 AM 25160]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [9/5/2009 11:00 PM 47640]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2009 3:31 AM 685816]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 10:59 PM 135664]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\LESWIL~1\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\LESWIL~1\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 ElanFltr;Pro Gaming Keyboard;c:\windows\system32\drivers\ElanFltr.sys [10/14/2009 6:03 PM 48128]
    S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 12:27 PM 1074568]
    S3 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe [4/29/2009 3:00 PM 98488]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/9/2009 8:55 PM 348752]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [7/13/2009 12:42 AM 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [7/13/2009 12:42 AM 500608]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 06:59]

    2010-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1960408961-682003330-1003Core.job
    - c:\documents and settings\les wilson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 23:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mWindow Title =
    IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
    IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
    IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
    Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
    Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
    FF - ProfilePath - c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - plugin: c:\documents and settings\les wilson\Application Data\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Move Networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
    FF - plugin: c:\documents and settings\les wilson\Application Data\Mozilla\Firefox\Profiles\0828hlo5.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\documents and settings\les wilson\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-02-07 18:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1202660629-1960408961-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:ba,60,90,d5,6e,1a,65,22,bb,d2,a9,56,df,84,7c,23,cb,d4,4a,5b,65,bf,22,
    9f,df,27,5a,37,f8,6e,22,f5,4b,b8,2c,6e,3a,c8,d2,ad,25,b5,65,29,58,63,f6,6f,\
    "??"=hex:57,f3,6f,7d,80,e3,a9,f6,e3,91,56,0e,7b,62,53,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(892)
    c:\windows\system32\guard32.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'lsass.exe'(960)
    c:\windows\system32\guard32.dll

    - - - - - - - > 'explorer.exe'(1724)
    c:\windows\system32\ieframe.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2010-02-07 18:43:25
    ComboFix-quarantined-files.txt 2010-02-08 02:43
    ComboFix2.txt 2010-02-01 00:28
    ComboFix3.txt 2009-09-10 07:15

    Pre-Run: 54,203,596,800 bytes free
    Post-Run: 54,186,446,848 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - DA437E852B01BFF31F6CF8A0E1DD3739

    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:05:39 PM, on 2/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\les wilson\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\IObit\Game Booster\gbtray.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264949577859
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 6391 bytes
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.


    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases

    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  7. Injigo

    Injigo Established Techie7 Member

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, February 14, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, February 14, 2010 07:47:09
    Records in database: 3498271
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    G:\

    Scan statistics:
    Objects scanned: 123683
    Threats found: 4
    Infected objects found: 4
    Suspicious objects found: 0
    Scan duration: 03:14:56


    File name / Threat / Threats count
    C:\DVD_Generator\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
    C:\Program Files\DVD_Generator\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1
    D:\PXE\Tftpd32-3.33-setup.exe Infected: not-a-virus:Server-FTP.Win32.SFH.cy 1
    D:\PXE\tftpd32.exe Infected: not-a-virus:Server-FTP.Win32.SFH.cy 1
    D:\PXE\tftpdpxe.zip Infected: not-a-virus:Server-FTP.Win32.SFH.g 1

    Selected area has been scanned.

    Fresh HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:35:22 AM, on 2/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IObit\Game Booster\gbtray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKCU\..\Run: [ServiceName] C:\Program Files\TightVNC\WinVNC.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264949577859
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 5614 bytes
     
  8. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download OTM


    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\DVD_Generator\pskill.exe 
    C:\Program Files\DVD_Generator\pskill.exe 
    D:\PXE\Tftpd32-3.33-setup.exe 
    D:\PXE\tftpd32.exe 
    D:\PXE\tftpdpxe.zip
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    

    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.


    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  9. Injigo

    Injigo Established Techie7 Member

    OTM log:

    All processes killed
    Error: Unable to interpret <:processes :Services :Reg :Files C:\DVD_Generator\pskill.exe C:\Program Files\DVD_Generator\pskill.exe D:\PXE\Tftpd32-3.33-setup.exe D:\PXE\tftpd32.exe D:\PXE\tftpdpxe.zip :Commands [purity] [resethosts] [emptytemp] [Reboot]> in the current context!
    Error: Unable to interpret <Read more: http://www.d-a-l.com/help/spyware-adware-viruses-hijackthis-logs/67842-active-google-search-results-redirect.html#ixzz0fbWy7ByX> in the current context!

    OTM by OldTimer - Version 3.1.8.0 log created on 02152010_034758
     
  10. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    It looks like you didn't copy the code correctly.
    Make sure, that all code is copied and every entry under "File:" section is listed on separate line.
    Re-do, please.
     
  11. Injigo

    Injigo Established Techie7 Member

    That was strange, it did the same thing when I re-did it, had to manually edit the code. Anyhow, here it is:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\DVD_Generator\pskill.exe moved successfully.
    C:\Program Files\DVD_Generator\pskill.exe moved successfully.
    D:\PXE\Tftpd32-3.33-setup.exe moved successfully.
    D:\PXE\tftpd32.exe moved successfully.
    D:\PXE\tftpdpxe.zip moved successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: les wilson
    ->Temp folder emptied: 96165234 bytes
    ->Temporary Internet Files folder emptied: 3356919 bytes
    ->Java cache emptied: 209492 bytes
    ->FireFox cache emptied: 34282163 bytes
    ->Google Chrome cache emptied: 351137638 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LogMeInRemoteUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7563 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 463.00 mb


    OTM by OldTimer - Version 3.1.8.0 log created on 02162010_060830
     
  12. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Very good :)

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.


    ==============================================================

    Verify your Java version here: Verify Java Version
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    ===============================================================

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

    ===============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =



    4. Click on Fix checked button.

    5. Post new HijackThis log.
     
  13. Injigo

    Injigo Established Techie7 Member

    Awesome, seems to be running faster. I am also getting an error when trying to click "Windows Update" in the Start Menu: "The requested lookup key was not found in any active activation context." I have not installed any Windows updates since starting this thread, just wanted to make sure I could. Here is the fresh HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:45:21 AM, on 2/19/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\msiexec.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ServiceName] C:\Program Files\TightVNC\WinVNC.exe
    O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264949577859
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 4954 bytes
     
  14. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): Safe Browsing Tool | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

    9. Please, let me know, how is your computer doing.