Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Virus:Win32/Alureon.H

Reply  
Thread Tools
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
09-Sep-2010, 01:07 AM #1
Virus:Win32/Alureon.H
I was having some issues with performance and ran some tests. I've found that I have the Alureon.H virus but can't seem to remove it. MS MSRT detects it but cannot remove it, even in safe mode. It says it did but it is still there. Does anyone know how to remove this once and for all?
Register for free to hide this ad!
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
09-Sep-2010, 01:13 AM #2
Quote:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:12:26 AM, on 9/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OPTI-SAFE Xtreme\ntevent.exe
C:\Program Files\OPTI-SAFE Xtreme\onevent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OPTI-SAFE Xtreme\ntsrv.exe
C:\Program Files\OPTI-SAFE Xtreme\powersrv.exe
C:\Program Files\OPTI-SAFE Xtreme\upsagentd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\OPTI-SAFE Xtreme\upsis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\OnwaTamashii\Desktop\Internet Tester\InternetMonitor.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\OnwaTamashii\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 5.34.21.222 rei.tootsville.com
O1 - Hosts: 5.34.21.222 dev12.tootsville.com
O1 - Hosts: 5.34.21.222 http.tootsville.com
O1 - Hosts: 5.34.21.222 srv8.tootsville.com
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: DUC20.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Startup: VNC Server.lnk = C:\Program Files\RealVNC\VNC4\winvnc4.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb...LStreaming.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/r...b.2007.4.4.cab
O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O20 - Winlogon Notify: wvUOFuSl - wvUOFuSl.dll (file missing)
O21 - SSODL: AlrtSys - {33c0c8f4-0cf2-4d71-8dbd-5beb7be3b393} - (no file)
O21 - SSODL: DrvComponent - {ae04dc2e-b611-4786-9865-c50d24e15357} - (no file)
O21 - SSODL: qdnkewfa - {CF7FC16B-7D4F-42BA-BA69-B5358305B543} - (no file)
O21 - SSODL: mgsvflkw - {0F395899-8E19-4BC1-A89F-EBA28A621984} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OPTI-SAFE Xtreme OnEvent (onevent) - Unknown owner - C:\Program Files\OPTI-SAFE Xtreme\ntevent.exe
O23 - Service: OPTI-SAFE Xtreme UPS (powersrv) - Unknown owner - C:\Program Files\OPTI-SAFE Xtreme\ntsrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: OPTI-SAFE Xtreme SNMP Agent (SNMPAGENTSRV) - Unknown owner - C:\Program Files\OPTI-SAFE Xtreme\upsagentd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: OPTI-SAFE Xtreme Web Server (upsis) - Unknown owner - C:\Program Files\OPTI-SAFE Xtreme\upsis.exe

--
End of file - 10478 bytes
Here is my HJT log.
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
09-Sep-2010, 01:31 AM #3
Quote:
DDS (Ver_10-03-17.01) - NTFSx86
Run by OnwaTamashii at 0:17:18.06 on Thu 09/09/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.859 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\OPTI-SAFE Xtreme\ntevent.exe
C:\Program Files\OPTI-SAFE Xtreme\onevent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\OPTI-SAFE Xtreme\ntsrv.exe
C:\Program Files\OPTI-SAFE Xtreme\powersrv.exe
C:\Program Files\OPTI-SAFE Xtreme\upsagentd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\OPTI-SAFE Xtreme\upsis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\OnwaTamashii\Desktop\Internet Tester\InternetMonitor.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\OnwaTamashii\Desktop\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\OnwaTamashii\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mExplorerRun: [svchost.exe]
StartupFolder: c:\docume~1\onwata~1\startm~1\programs\startup\duc20.lnk - c:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\onwata~1\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\onwata~1\startm~1\programs\startup\vncser~1.lnk - c:\program files\realvnc\vnc4\winvnc4.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: kuaiche.com\software
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} - hxxp://legendofares.netgame.com/download/MusaLauncherNew.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: winbfi32 - winbfi32.dll
Notify: wvUOFuSl - wvUOFuSl.dll
SSODL: AlrtSys - {33c0c8f4-0cf2-4d71-8dbd-5beb7be3b393} - No File
SSODL: DrvComponent - {ae04dc2e-b611-4786-9865-c50d24e15357} - No File
SSODL: qdnkewfa - {CF7FC16B-7D4F-42BA-BA69-B5358305B543} - No File
SSODL: mgsvflkw - {0F395899-8E19-4BC1-A89F-EBA28A621984} - No File
STS: {65bbf06c-ea06-4818-92a3-f3550d0e1004} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\urqRLBrq
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 5.34.21.222 rei.tootsville.com
Hosts: 5.34.21.222 dev12.tootsville.com
Hosts: 5.34.21.222 http.tootsville.com
Hosts: 5.34.21.222 srv8.tootsville.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\onwata~1\applic~1\mozilla\firefox\profiles\g9foo8ds.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\onwatamashii\application data\mozilla\firefox\profiles\g9foo8ds.default\extensions\{baebef65-9289-47c5-8524-c345cc5d860d}\components\nsNativeCaller.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\onwatamashii\application data\mozilla\firefox\profiles\g9foo8ds.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\onwatamashii\application data\mozilla\firefox\profiles\g9foo8ds.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\onwatamashii\application data\mozilla\firefox\profiles\g9foo8ds.default\extensions\{f8cc37c3-cbeb-4a00-8cbf-26a88693f0c5}\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\solidstatenetworks\solidstateion\npssn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-21 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-8-25 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-31 95024]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [2007-7-11 108768]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355928]
R2 onevent;OPTI-SAFE Xtreme OnEvent;c:\program files\opti-safe xtreme\ntevent.exe [2004-7-2 32768]
R2 powersrv;OPTI-SAFE Xtreme UPS;c:\program files\opti-safe xtreme\ntsrv.exe [2004-7-2 32768]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-8-25 69936]
R2 SNMPAGENTSRV;OPTI-SAFE Xtreme SNMP Agent;c:\program files\opti-safe xtreme\upsagentd.exe [2004-7-2 290816]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-29 1021256]
R2 upsis;OPTI-SAFE Xtreme Web Server;c:\program files\opti-safe xtreme\upsis.exe [2004-7-1 364544]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S1 MpKslb599f8f3;MpKslb599f8f3;\??\c:\windows\system32\mpenginestore\mpkslb599 f8f3.sys --> c:\windows\system32\mpenginestore\MpKslb599f8f3.sys [?]
S1 MpKslcf00484d;MpKslcf00484d;\??\c:\windows\system32\mpenginestore\mpkslcf00 484d.sys --> c:\windows\system32\mpenginestore\MpKslcf00484d.sys [?]
S1 zeqbqwp;zeqbqwp;\??\c:\windows\zeqbqwp.sys --> c:\windows\zeqbqwp.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-5-7 23456]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2009-1-9 38604]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-8-29 10976]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15008]
S3 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-7-31 4012400]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [2009-8-29 61600]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2007-7-11 544768]
S4 abmsvc;Auto Backup for MySQL Service;c:\program files\swordsky software\auto backup for mysql professional edition\abmsvc.exe [2008-1-13 417792]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2007-7-11 1527900]
S4 VisualSVNServer;VisualSVN Server;c:\program files\visualsvn server\httpd-wrapper.bat [2008-7-28 153]

=============== Created Last 30 ================

2010-09-09 01:52:46 0 d-----w- C:\79074e3cb43ddd4746c5
2010-09-09 01:21:41 0 d-----w- C:\437b16833ef10d6441d8d6d0
2010-09-09 01:07:28 61696 ----a-w- c:\windows\system32\drivers\nwjvdqmg.sys
2010-09-09 01:02:47 0 d-----w- c:\windows\system32\MpEngineStore
2010-09-03 21:56:24 218 ----a-w- c:\documents and settings\onwatamashii\.recently-used.xbel
2010-09-03 21:45:41 0 d-----w- c:\docume~1\onwata~1\applic~1\enchant
2010-09-03 21:45:38 0 d-----w- c:\docume~1\onwata~1\applic~1\.purple
2010-09-03 21:44:49 0 d-----w- c:\program files\Pidgin
2010-08-30 23:39:31 0 d-----w- c:\docume~1\onwata~1\applic~1\Trillian
2010-08-25 23:02:57 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-08-25 23:02:57 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-08-18 23:46:12 0 d-----w- c:\program files\Wireshark
2010-08-18 23:19:41 0 d-----w- c:\documents and settings\onwatamashii\.zenmap
2010-08-18 23:15:26 0 d-----w- c:\program files\Nmap
2010-08-15 15:01:09 0 d-----w- c:\docume~1\onwata~1\applic~1\GetRight
2010-08-14 06:20:11 0 d-----w- c:\program files\Free Window Registry Repair
2010-08-13 17:20:22 5 ----a-w- C:\zrpt.xml
2010-08-11 05:42:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-08-05 02:33:11 6165 ----a-w- c:\windows\system32\secushr.dat
2010-07-16 00:45:44 53299 -c--a-w- c:\windows\system32\pthreadVC.dll
2010-07-16 00:45:44 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-07-16 00:45:44 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-07-16 00:45:44 100880 ----a-w- c:\windows\system32\Packet.dll
2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2007-02-25 16:46:55 1004124 -csha-w- c:\windows\system32\hhkmp.bak1
2007-02-26 01:18:35 1009448 -csha-w- c:\windows\system32\hhkmp.bak2
2007-02-27 00:57:57 1054230 -csha-w- c:\windows\system32\hhkmp.ini2
2010-05-08 05:35:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010050820100509\index.dat
2010-05-17 17:48:28 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-05-17 17:48:28 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-05-17 17:48:28 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 0:20:21.54 ===============
Here is my DDS.txt
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
09-Sep-2010, 01:33 AM #4
Here is my Attach.txt
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Sep-2010, 09:23 AM #5
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here or Hereto your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
09-Sep-2010, 07:38 PM #6
Quote:
ComboFix 10-09-09.03 - OnwaTamashii 09/09/2010 18:00:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -4:00]
Running from: c:\documents and settings\OnwaTamashii\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\OnwaTamashii\Application Data\BITS
c:\documents and settings\OnwaTamashii\Application Data\BITS\BITS.ini
c:\documents and settings\OnwaTamashii\Application Data\BITS\DHTTable.dat
c:\documents and settings\OnwaTamashii\Application Data\BITS\ProxyList.ini
c:\documents and settings\OnwaTamashii\Application Data\BITS\UPnP.ini
c:\documents and settings\OnwaTamashii\Application Data\FlashGetBHO
c:\documents and settings\OnwaTamashii\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\OnwaTamashii\Application Data\FlashGetBHO\FlashGetHook.dll
c:\documents and settings\OnwaTamashii\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\OnwaTamashii\Application Data\FlashGetBHO\GetUrl.htm
c:\documents and settings\OnwaTamashii\Application Data\inst.exe
c:\documents and settings\OnwaTamashii\gzip.exe
c:\progra~1\COMMON~1\{A47BF~1
c:\program files\FlashGet Network
c:\program files\HTV
c:\program files\HTV\htv.001
c:\program files\HTV\HTV.002
c:\program files\HTV\HTV.005
c:\program files\HTV\HTV.009
c:\program files\HTV\test
c:\program files\VisualSVN Server\httpd-wrapper.bat
c:\program files\vsadd-in
c:\windows\$NtUninstallMTF1011$
c:\windows\$NtUninstallMTF1011$\zrpt.xml
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\settings.reg
c:\windows\system32\certstore.dat
c:\windows\system32\Data
c:\windows\system32\gpiwepfx.ini
c:\windows\system32\hhkmp.bak1
c:\windows\system32\hhkmp.bak2
c:\windows\system32\hhkmp.ini
c:\windows\system32\hhkmp.ini2
c:\windows\system32\hhkmp.tmp
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\sduhasdb.ini
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat
c:\windows\system32\tmp.reg
c:\windows\system32\winsusrm.dll
c:\windows\system32\winsusrx.dll
c:\windows\system32\wnsinttr.exe
c:\windows\system32\ystem~1
c:\windows\system32\zlibwapi.dll
c:\windows\wpe pro.INI

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_zeqbqwp
-------\Legacy_VisualSVNServer
-------\Service_VisualSVNServer


((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-09-09 01:52 . 2010-09-09 01:52 -------- d-----w- C:\79074e3cb43ddd4746c5
2010-09-09 01:21 . 2010-09-09 01:21 -------- d-----w- C:\437b16833ef10d6441d8d6d0
2010-09-09 01:07 . 2010-09-09 01:07 61696 ----a-w- c:\windows\system32\drivers\nwjvdqmg.sys
2010-09-09 01:02 . 2010-09-09 01:53 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-03 21:45 . 2010-09-03 21:45 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\enchant
2010-09-03 21:45 . 2010-09-03 21:56 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\.purple
2010-09-03 21:44 . 2010-09-03 21:58 -------- d-----w- c:\program files\Pidgin
2010-08-30 23:39 . 2010-08-30 23:47 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Trillian
2010-08-30 23:38 . 2010-09-09 21:40 -------- d-----w- c:\program files\Trillian
2010-08-25 23:02 . 2010-07-12 08:55 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-08-25 23:02 . 2010-07-12 08:55 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-08-25 04:24 . 2010-08-25 23:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\pmrtccomd
2010-08-18 23:46 . 2010-08-18 23:46 -------- d-----w- c:\program files\Wireshark
2010-08-18 23:19 . 2010-08-19 00:07 -------- d-----w- c:\documents and settings\OnwaTamashii\.zenmap
2010-08-18 23:15 . 2010-08-18 23:18 -------- d-----w- c:\program files\Nmap
2010-08-15 15:01 . 2010-09-09 04:11 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\GetRight
2010-08-14 06:20 . 2010-08-14 06:49 -------- d-----w- c:\program files\Free Window Registry Repair
2010-08-11 05:42 . 2010-09-09 04:40 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-09 22:15 . 2008-08-26 23:14 -------- d-----w- c:\program files\VisualSVN Server
2010-09-09 04:14 . 2008-09-12 03:14 1026 -c--a-w- c:\windows\system32\ealregsnapshot1.reg
2010-09-09 03:14 . 2007-02-10 00:07 -------- d-----w- c:\program files\OPTI-SAFE Xtreme
2010-09-09 02:50 . 2009-04-21 22:55 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Notepad++
2010-09-09 02:49 . 2009-04-21 22:55 -------- d-----w- c:\program files\Notepad++
2010-09-09 01:29 . 2010-02-12 15:45 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\vlc
2010-09-08 18:18 . 2007-08-28 17:02 -------- d-----w- c:\program files\No-IP
2010-09-03 21:54 . 2007-06-10 20:54 -------- d--h--w- c:\documents and settings\OnwaTamashii\Application Data\gtk-2.0
2010-08-25 23:02 . 2007-02-11 00:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-25 23:02 . 2007-02-11 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-25 22:46 . 2009-10-31 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-18 23:55 . 2007-07-14 06:32 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Wireshark
2010-08-18 23:16 . 2007-07-14 06:27 -------- d-----w- c:\program files\WinPcap
2010-08-15 15:01 . 2007-02-10 03:54 -------- d-----w- c:\program files\GetRight
2010-08-11 00:07 . 2010-08-06 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-08-09 23:29 . 2010-08-09 23:29 -------- d-----w- c:\program files\DivXCodec
2010-08-09 23:29 . 2009-10-31 14:01 -------- d-----w- c:\program files\Xvid
2010-08-06 05:10 . 2010-04-24 22:23 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\HPAppData
2010-08-06 03:06 . 2010-08-06 03:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-06 03:06 . 2010-08-06 03:06 -------- d-----w- c:\program files\Common Files\ffdshowEx
2010-08-06 03:06 . 2010-08-06 03:06 -------- d-----w- c:\program files\MediaMall
2010-08-06 03:02 . 2010-08-06 03:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-05 23:00 . 2008-04-12 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\fktwrwfa
2010-08-05 22:16 . 2009-07-06 02:02 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\DNA
2010-08-05 03:34 . 2008-02-26 17:22 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\uTorrent
2010-08-04 22:42 . 2009-07-06 02:02 -------- d-----w- c:\program files\DNA
2010-08-04 22:21 . 2010-08-04 22:21 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Malwarebytes
2010-08-04 22:20 . 2010-08-04 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-25 21:32 . 2007-03-26 15:47 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\OpenOffice.org2
2010-07-16 00:45 . 2010-07-16 00:45 53299 -c--a-w- c:\windows\system32\pthreadVC.dll
2010-07-16 00:45 . 2010-07-16 00:45 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-07-16 00:45 . 2010-07-16 00:45 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-07-16 00:45 . 2010-07-16 00:45 100880 ----a-w- c:\windows\system32\Packet.dll
2010-07-14 03:12 . 2010-07-14 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 02:58 . 2010-07-14 02:58 -------- d-----w- c:\program files\NOS
2010-07-12 08:55 . 2009-05-22 03:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2009-05-22 12:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-31 13666920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

c:\documents and settings\OnwaTamashii\Start Menu\Programs\Startup\
DUC20.lnk - c:\program files\No-IP\DUC20.exe [2007-8-28 1172992]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-8-23 2068832]
VNC Server.lnk - c:\program files\RealVNC\VNC4\winvnc4.exe [2007-2-14 439248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoa dGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gigabyte Wireless Utility.lnk]
backup=c:\windows\pss\Gigabyte Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 easylogin]
2008-01-24 12:31 1545216 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe_id0eythm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-04-27 22:18 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcoholautomount]
2007-12-22 07:23 221568 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto Backup for MySQL]
2007-08-04 20:50 2633728 ----a-w- c:\program files\SwordSky Software\Auto Backup for MySQL Professional Edition\abmpro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 18:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig6.1]
2002-08-29 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1]
2006-02-28 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002]
2002-08-29 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 12:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 15:38 64512 ----a-w- c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a]
2002-08-29 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async]
2002-08-29 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 13:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 08:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-03-09 15:49 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"FileZilla Server"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"vsmon"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WZCSVC"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"VisualSVNServer"=2 (0x2)
"usnjsvc"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"YahooAUService"=2 (0x2)
"PnkBstrA"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"PlayOn"=*DISABLED*c:\program files\MediaMall\PlayOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"sclauncher"=c:\program files\SimpleCenter\bin\win\sclauncher.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"DeadAIM"=rundll32.exe "c:\progra~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
"AmIcoSinglun"=c:\program files\AmIcoSingLun\AmIcoSinglun.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"sta"=rundll32 "wtnep.dll",,Run

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\VisualSVN Server\\bin\\VisualSVNServer.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Brother\\BRAdmin Light\\BRAdmLight.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\SimpleCenter\\SimpleCenter.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"28252:TCP"= 28252:TCP:*isabled:SolidNetworkManager
"28252:UDP"= 28252:UDP:*isabled:SolidNetworkManager
"23290:TCP"= 23290:TCP:*isabled:SolidNetworkManager
"23290:UDP"= 23290:UDP:*isabled:SolidNetworkManager
"39916:TCP"= 39916:TCP:*isabled:SolidNetworkManager
"39916:UDP"= 39916:UDP:*isabled:SolidNetworkManager
"7663:TCP"= 7663:TCP:*isabled:SolidNetworkManager
"7663:UDP"= 7663:UDP:*isabled:SolidNetworkManager
"5148:TCP"= 5148:TCP:*isabled:SolidNetworkManager
"5148:UDP"= 5148:UDP:*isabled:SolidNetworkManager
"57007:TCP"= 57007:TCP:Pando Media Booster
"57007:UDP"= 57007:UDP:Pando Media Booster
"58969:TCP"= 58969:TCP:Pando Media Booster
"58969:UDP"= 58969:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/21/2009 11:53 PM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/25/2010 7:02 PM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/31/2009 10:47 AM 95024]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [7/11/2007 7:23 PM 108768]
R2 onevent;OPTI-SAFE Xtreme OnEvent;c:\program files\OPTI-SAFE Xtreme\ntevent.exe [7/2/2004 7:12 PM 32768]
R2 powersrv;OPTI-SAFE Xtreme UPS;c:\program files\OPTI-SAFE Xtreme\ntsrv.exe [7/2/2004 7:13 PM 32768]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/25/2010 7:02 PM 69936]
R2 SNMPAGENTSRV;OPTI-SAFE Xtreme SNMP Agent;c:\program files\OPTI-SAFE Xtreme\upsagentd.exe [7/2/2004 5:29 PM 290816]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [10/29/2009 8:41 PM 1021256]
R2 upsis;OPTI-SAFE Xtreme Web Server;c:\program files\OPTI-SAFE Xtreme\upsis.exe [7/1/2004 3:04 PM 364544]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 7:24 AM 10064]
S1 MpKslb599f8f3;MpKslb599f8f3;\??\c:\windows\system32\MpEngineStore\MpKslb599 f8f3.sys --> c:\windows\system32\MpEngineStore\MpKslb599f8f3.sys [?]
S1 MpKslcf00484d;MpKslcf00484d;\??\c:\windows\system32\MpEngineStore\MpKslcf00 484d.sys --> c:\windows\system32\MpEngineStore\MpKslcf00484d.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [5/7/2010 7:52 PM 23456]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [1/9/2009 7:36 PM 38604]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/29/2009 4:38 PM 10976]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/13/2010 1:20 PM 15008]
S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [7/31/2010 12:59 PM 4012400]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/15/2010 8:45 PM 35088]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [3/20/2006 7:34 PM 1452032]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [8/29/2009 4:10 PM 61600]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [7/11/2007 7:23 PM 544768]
S4 abmsvc;Auto Backup for MySQL Service;c:\program files\SwordSky Software\Auto Backup for MySQL Professional Edition\abmsvc.exe [1/13/2008 5:08 PM 417792]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [7/11/2007 7:22 PM 1527900]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/9/2007 9:03 PM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-09 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 00:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: kuaiche.com\software
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
FF - ProfilePath - c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{BAEBEF65-9289-47c5-8524-C345CC5D860D}\components\nsNativeCaller.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\SolidStateNetworks\SolidStateION\npssn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SSODL-AlrtSys-{33c0c8f4-0cf2-4d71-8dbd-5beb7be3b393} - (no file)
SSODL-DrvComponent-{ae04dc2e-b611-4786-9865-c50d24e15357} - (no file)
Notify-wvUOFuSl - wvUOFuSl.dll
MSConfigStartUp-cptpusl - c:\documents and settings\OnwaTamashii\Local Settings\Application Data\cptpusl.dll
MSConfigStartUp-CTXFIREG - CTxfiReg.exe
MSConfigStartUp-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-SolidStateIONMozilla - c:\windows\system32\SolidStateNetworks\SolidStateION\soliduninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{668581D6-9877-9E63-81BC-3E634B0B103C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fagcgajonkkd"=hex:62,61,6a,6a,00,00
"nafchokepooijbidfjpcinkapiej"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6 f,
64,65,68,61,70,6e,00,dd
"maldpihpohlodjbpnapjbcjnej"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6f, 64,
65,68,61,70,6e,00,dd
"nafchokepooijbidfjpcinlacjfc"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6 f,
64,65,68,61,70,6e,00,00
"maldpihpohlodjbpnapjeceomh"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6f, 64,
65,68,61,70,6e,00,00

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:a8,50,f2,40,1a,bb,12,15,f6,e4,db,1b,6c,82,6b,46,cf,81,92,57, 55,
a8,a6,8e,09,53,c8,e8,da,0a,fe,9c,96,b3,e7,fe,e0,60,60,25,94,8f,b4,91,26,30, \
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\GetRight\xx2gr.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\nvcpl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\wscntfy.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-09-09 18:34:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-09 22:34

Pre-Run: 11,624,525,824 bytes free
Post-Run: 17,743,884,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BDF2AE7F3E705BBDB95D6C54ECDBF420
Here is my ComboFix log.

I believe the virus may be completely gone now, hopefully the log can verify this.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
10-Sep-2010, 04:10 AM #7
A little bit of clearing up to do

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply


Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/subm...php?channel=38
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
10-Sep-2010, 11:43 AM #8
Quote:
ComboFix 10-09-09.04 - OnwaTamashii 09/10/2010 10:22:13.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1404 [GMT -4:00]
Running from: c:\documents and settings\OnwaTamashii\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OnwaTamashii\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

file zipped: c:\windows\system32\drivers\nwjvdqmg.sys
.

((((((((((((((((((((((((( Files Created from 2010-08-10 to 2010-09-10 )))))))))))))))))))))))))))))))
.

2010-09-09 02:50 . 2010-09-09 02:50 1539584 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\Notepad++\plugins\config\plugin_install_temp\plugin2\bin\NppFTPA.dll
2010-09-09 02:50 . 2010-09-09 02:50 1563648 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\Notepad++\plugins\config\plugin_install_temp\plugin2\bin\NppFTP.dll
2010-09-09 02:50 . 2010-09-09 02:50 532480 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\Notepad++\plugins\config\plugin_install_temp\plugin1\NppExec.dll
2010-09-09 01:52 . 2010-09-09 01:52 -------- d-----w- C:\79074e3cb43ddd4746c5
2010-09-09 01:21 . 2010-09-09 01:21 -------- d-----w- C:\437b16833ef10d6441d8d6d0
2010-09-09 01:07 . 2010-09-09 01:07 61696 ----a-w- c:\windows\system32\drivers\nwjvdqmg.sys
2010-09-09 01:02 . 2010-09-09 01:53 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-03 21:49 . 2010-09-03 21:49 2157 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2010-09-03 21:48 . 2010-09-03 21:48 2095 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2010-09-03 21:47 . 2010-09-03 21:47 1065 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2010-09-03 21:47 . 2010-09-03 21:47 1791 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\bos.oscar.aol.com
2010-09-03 21:47 . 2010-09-03 21:47 1779 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\api.oscar.aol.com
2010-09-03 21:47 . 2010-09-03 21:47 1691 ----a-w- c:\documents and settings\OnwaTamashii\Application Data\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-09-03 21:45 . 2010-09-03 21:45 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\enchant
2010-09-03 21:45 . 2010-09-03 21:56 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\.purple
2010-09-03 21:44 . 2010-09-03 21:58 -------- d-----w- c:\program files\Pidgin
2010-08-30 23:39 . 2010-08-30 23:47 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Trillian
2010-08-30 23:38 . 2010-09-10 14:17 -------- d-----w- c:\program files\Trillian
2010-08-25 23:02 . 2010-07-12 08:55 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-08-25 23:02 . 2010-07-12 08:55 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-08-25 04:24 . 2010-08-25 23:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\pmrtccomd
2010-08-18 23:46 . 2010-08-18 23:46 -------- d-----w- c:\program files\Wireshark
2010-08-18 23:19 . 2010-08-19 00:07 -------- d-----w- c:\documents and settings\OnwaTamashii\.zenmap
2010-08-18 23:15 . 2010-08-18 23:18 -------- d-----w- c:\program files\Nmap
2010-08-15 15:01 . 2010-09-10 04:51 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\GetRight
2010-08-14 06:20 . 2010-08-14 06:49 -------- d-----w- c:\program files\Free Window Registry Repair

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-10 13:13 . 2007-02-10 00:07 -------- d-----w- c:\program files\OPTI-SAFE Xtreme
2010-09-10 07:23 . 2010-08-06 03:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-10 07:02 . 2008-02-26 17:22 -------- d-----w- c:\program files\uTorrent
2010-09-10 02:34 . 2008-02-26 17:22 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\uTorrent
2010-09-09 22:15 . 2008-08-26 23:14 -------- d-----w- c:\program files\VisualSVN Server
2010-09-09 04:40 . 2010-08-11 05:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-09 04:14 . 2008-09-12 03:14 1026 -c--a-w- c:\windows\system32\ealregsnapshot1.reg
2010-09-09 02:50 . 2009-04-21 22:55 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Notepad++
2010-09-09 02:49 . 2009-04-21 22:55 -------- d-----w- c:\program files\Notepad++
2010-09-09 01:29 . 2010-02-12 15:45 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\vlc
2010-09-08 18:18 . 2007-08-28 17:02 -------- d-----w- c:\program files\No-IP
2010-09-03 21:54 . 2007-06-10 20:54 -------- d--h--w- c:\documents and settings\OnwaTamashii\Application Data\gtk-2.0
2010-08-25 23:02 . 2007-02-11 00:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-25 23:02 . 2007-02-11 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-25 22:46 . 2009-10-31 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-18 23:55 . 2007-07-14 06:32 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Wireshark
2010-08-18 23:16 . 2007-07-14 06:27 -------- d-----w- c:\program files\WinPcap
2010-08-15 15:01 . 2007-02-10 03:54 -------- d-----w- c:\program files\GetRight
2010-08-11 00:07 . 2010-08-06 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall
2010-08-09 23:29 . 2010-08-09 23:29 -------- d-----w- c:\program files\DivXCodec
2010-08-09 23:29 . 2009-10-31 14:01 -------- d-----w- c:\program files\Xvid
2010-08-09 12:55 . 2010-08-11 05:42 142736 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-08-06 05:10 . 2010-04-24 22:23 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\HPAppData
2010-08-06 03:06 . 2010-08-06 03:06 -------- d-----w- c:\program files\Common Files\ffdshowEx
2010-08-06 03:06 . 2010-08-06 03:06 -------- d-----w- c:\program files\MediaMall
2010-08-06 03:02 . 2010-08-06 03:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-05 23:00 . 2008-04-12 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\fktwrwfa
2010-08-05 22:16 . 2009-07-06 02:02 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\DNA
2010-08-04 22:42 . 2009-07-06 02:02 -------- d-----w- c:\program files\DNA
2010-08-04 22:21 . 2010-08-04 22:21 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\Malwarebytes
2010-08-04 22:20 . 2010-08-04 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-03 12:11 . 2010-08-03 12:11 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-08-03 12:11 . 2010-08-03 12:11 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-08-03 12:11 . 2010-08-03 12:11 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-08-03 12:11 . 2010-08-03 12:11 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-08-03 12:11 . 2010-08-03 12:11 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-25 21:32 . 2007-03-26 15:47 -------- d-----w- c:\documents and settings\OnwaTamashii\Application Data\OpenOffice.org2
2010-07-16 00:45 . 2010-07-16 00:45 53299 -c--a-w- c:\windows\system32\pthreadVC.dll
2010-07-16 00:45 . 2010-07-16 00:45 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2010-07-16 00:45 . 2010-07-16 00:45 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-07-16 00:45 . 2010-07-16 00:45 100880 ----a-w- c:\windows\system32\Packet.dll
2010-07-14 03:12 . 2010-07-14 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 02:58 . 2010-07-14 02:58 -------- d-----w- c:\program files\NOS
2010-07-12 08:56 . 2010-08-06 03:02 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2009-05-22 03:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2009-05-22 12:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-30 12:31 . 2006-02-28 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2006-02-28 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-02-28 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2006-02-28 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-02-09 23:06 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2006-02-28 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 21:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-31 13666920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

c:\documents and settings\OnwaTamashii\Start Menu\Programs\Startup\
DUC20.lnk - c:\program files\No-IP\DUC20.exe [2007-8-28 1172992]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-8-23 2068832]
VNC Server.lnk - c:\program files\RealVNC\VNC4\winvnc4.exe [2007-2-14 439248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoa dGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gigabyte Wireless Utility.lnk]
backup=c:\windows\pss\Gigabyte Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 easylogin]
2008-01-24 12:31 1545216 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe_id0eythm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-04-27 22:18 61440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcoholautomount]
2007-12-22 07:23 221568 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto Backup for MySQL]
2007-08-04 20:50 2633728 ----a-w- c:\program files\SwordSky Software\Auto Backup for MySQL Professional Edition\abmpro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-10-23 18:18 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig6.1]
2002-08-29 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1]
2006-02-28 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002]
2002-08-29 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 12:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 15:38 64512 ----a-w- c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a]
2002-08-29 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async]
2002-08-29 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-27 13:41 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 08:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-03-09 15:49 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"FileZilla Server"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"vsmon"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WZCSVC"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"VisualSVNServer"=2 (0x2)
"usnjsvc"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"YahooAUService"=2 (0x2)
"PnkBstrA"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"PlayOn"=*DISABLED*c:\program files\MediaMall\PlayOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe"
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"sclauncher"=c:\program files\SimpleCenter\bin\win\sclauncher.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"DeadAIM"=rundll32.exe "c:\progra~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
"AmIcoSinglun"=c:\program files\AmIcoSingLun\AmIcoSinglun.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\VisualSVN Server\\bin\\VisualSVNServer.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Brother\\BRAdmin Light\\BRAdmLight.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\SimpleCenter\\SimpleCenter.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"28252:TCP"= 28252:TCP:*isabled:SolidNetworkManager
"28252:UDP"= 28252:UDP:*isabled:SolidNetworkManager
"23290:TCP"= 23290:TCP:*isabled:SolidNetworkManager
"23290:UDP"= 23290:UDP:*isabled:SolidNetworkManager
"39916:TCP"= 39916:TCP:*isabled:SolidNetworkManager
"39916:UDP"= 39916:UDP:*isabled:SolidNetworkManager
"7663:TCP"= 7663:TCP:*isabled:SolidNetworkManager
"7663:UDP"= 7663:UDP:*isabled:SolidNetworkManager
"5148:TCP"= 5148:TCP:*isabled:SolidNetworkManager
"5148:UDP"= 5148:UDP:*isabled:SolidNetworkManager
"57007:TCP"= 57007:TCP:Pando Media Booster
"57007:UDP"= 57007:UDP:Pando Media Booster
"58969:TCP"= 58969:TCP:Pando Media Booster
"58969:UDP"= 58969:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/21/2009 11:53 PM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/25/2010 7:02 PM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/31/2009 10:47 AM 95024]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [7/11/2007 7:23 PM 108768]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/25/2010 7:02 PM 69936]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 7:24 AM 10064]
S1 MpKslb599f8f3;MpKslb599f8f3;\??\c:\windows\system32\MpEngineStore\MpKslb599 f8f3.sys --> c:\windows\system32\MpEngineStore\MpKslb599f8f3.sys [?]
S1 MpKslcf00484d;MpKslcf00484d;\??\c:\windows\system32\MpEngineStore\MpKslcf00 484d.sys --> c:\windows\system32\MpEngineStore\MpKslcf00484d.sys [?]
S2 onevent;OPTI-SAFE Xtreme OnEvent;c:\program files\OPTI-SAFE Xtreme\ntevent.exe [7/2/2004 7:12 PM 32768]
S2 powersrv;OPTI-SAFE Xtreme UPS;c:\program files\OPTI-SAFE Xtreme\ntsrv.exe [7/2/2004 7:13 PM 32768]
S2 SNMPAGENTSRV;OPTI-SAFE Xtreme SNMP Agent;c:\program files\OPTI-SAFE Xtreme\upsagentd.exe [7/2/2004 5:29 PM 290816]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [10/29/2009 8:41 PM 1021256]
S2 upsis;OPTI-SAFE Xtreme Web Server;c:\program files\OPTI-SAFE Xtreme\upsis.exe [7/1/2004 3:04 PM 364544]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [5/7/2010 7:52 PM 23456]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [1/9/2009 7:36 PM 38604]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/29/2009 4:38 PM 10976]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/13/2010 1:20 PM 15008]
S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [7/31/2010 12:59 PM 4012400]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [7/15/2010 8:45 PM 35088]
S3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [3/20/2006 7:34 PM 1452032]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [8/29/2009 4:10 PM 61600]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [7/11/2007 7:23 PM 544768]
S4 abmsvc;Auto Backup for MySQL Service;c:\program files\SwordSky Software\Auto Backup for MySQL Professional Edition\abmsvc.exe [1/13/2008 5:08 PM 417792]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [7/11/2007 7:22 PM 1527900]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/9/2007 9:03 PM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-10 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-10 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-10 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 16:47]

2010-09-10 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2009-10-30 00:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: kuaiche.com\software
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
FF - ProfilePath - c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{BAEBEF65-9289-47c5-8524-C345CC5D860D}\components\nsNativeCaller.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\OnwaTamashii\Application Data\Mozilla\Firefox\Profiles\g9foo8ds.default\extensions\{F8CC37C3-CBEB-4A00-8CBF-26A88693F0C5}\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\SolidStateNetworks\SolidStateION\npssn.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-10 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{668581D6-9877-9E63-81BC-3E634B0B103C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fagcgajonkkd"=hex:62,61,6a,6a,00,00
"nafchokepooijbidfjpcinkapiej"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6 f,
64,65,68,61,70,6e,00,dd
"maldpihpohlodjbpnapjbcjnej"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6f, 64,
65,68,61,70,6e,00,dd
"nafchokepooijbidfjpcinlacjfc"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6 f,
64,65,68,61,70,6e,00,00
"maldpihpohlodjbpnapjeceomh"=hex:6a,61,6a,6a,6f,61,62,6f,63,6c,69,69,64,6f, 64,
65,68,61,70,6e,00,00

[HKEY_USERS\S-1-5-21-1390067357-362288127-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:a8,50,f2,40,1a,bb,12,15,f6,e4,db,1b,6c,82,6b,46,cf,81,92,57, 55,
a8,a6,8e,09,53,c8,e8,da,0a,fe,9c,96,b3,e7,fe,e0,60,60,25,94,8f,b4,91,26,30, \
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1324)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-10 10:41:08
ComboFix-quarantined-files.txt 2010-09-10 14:40
ComboFix2.txt 2010-09-09 22:34

Pre-Run: 19,034,992,640 bytes free
Post-Run: 19,023,659,008 bytes free

- - End Of File - - BC7822E551FB1739AAB7DB6FE99F5E29
Upload was successful
Here is the latest ComboFix log.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
10-Sep-2010, 03:49 PM #9
that seems to be all ok

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Jikari's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2010
Location: Port Orange, FL
Experience: Software Engineer
10-Sep-2010, 03:51 PM #10
Thank you!
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 11:51 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.