1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible(probable) Malware infection

Discussion in 'Virus & Other Malware Removal' started by Nickdoom1, Nov 24, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
    Hi all,

    I'm a regular user of Ad-Aware and Mcafee security center for for antivurus/ anti spyware removal, however about 6-7 months ago(i waited awhile) I noticed some strange behavior and decided to run a complete scan with both tools to remove anything that may be infecting my PC. Doing so got rid of the issue I was having at the time, however I still get these two error messages everytime I turn on my PC:


    Error loading C:\Users\Nickdoom\AppData\Local\rsLEV2.dll
    The specified module could not be found.

    and

    Error loading C:\Users\Nickdoom\AppData\Local\amanoguqutoqih.dll
    The specified module could not be found.

    Which leads me to believe something is still trying to load these programs which My programs most likely removed.
    Also, I have noticed some general slowness remaining since then. Any assistance would be much appreciated. Logs below:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:32:22 PM, on 11/23/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\AOL\1279125156\ee\aolsoftware.exe
    C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Users\Nickdoom\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll
    R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
    F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
    O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
    O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1279125156\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Nickdoom\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [xthrtelh] C:\Users\Nickdoom\AppData\Local\chhwgcrgm\atinhvftssd.exe
    O4 - HKCU\..\Run: [XBV6RD5SZF] C:\Users\Nickdoom\AppData\Local\Temp\Fdd.exe
    O4 - HKCU\..\Run: [Skype] "C:\Users\Nickdoom\AppData\Roaming\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SvrWsc] "C:\Users\Nickdoom\AppData\Roaming\svrwsc.exe"
    O4 - HKCU\..\Run: [Gkacowuwuqe] rundll32.exe "C:\Users\Nickdoom\AppData\Local\rsLEV2.dll",Startup
    O4 - HKCU\..\Run: [asecpp70.exe] C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\asecpp70.exe
    O4 - HKCU\..\Run: [Ghalicogo] rundll32.exe "C:\Users\Nickdoom\AppData\Local\amanoguqutoqih.dll",Startup
    O4 - Startup: Antimalware Doctor.lnk = C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\asecpp70.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} (MetaStreamCtl Class) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
    O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe








    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_29
    Run by Nickdoom at 17:26:53 on 2011-11-23
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1570 [GMT -5:00]

    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\AOL\1279125156\ee\aolsoftware.exe
    C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Users\Nickdoom\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080723
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080723
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    uRun: [DW6]
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [BitTorrent DNA] "c:\users\nickdoom\program files\dna\btdna.exe"
    uRun: [PlayNC Launcher]
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [xthrtelh] c:\users\nickdoom\appdata\local\chhwgcrgm\atinhvftssd.exe
    uRun: [XBV6RD5SZF] c:\users\nickdoom\appdata\local\temp\Fdd.exe
    uRun: [Skype] "c:\users\nickdoom\appdata\roaming\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SvrWsc] "c:\users\nickdoom\appdata\roaming\svrwsc.exe"
    uRun: [Gkacowuwuqe] rundll32.exe "c:\users\nickdoom\appdata\local\rsLEV2.dll",Startup
    uRun: [asecpp70.exe] c:\users\nickdoom\appdata\roaming\20fc2a43ad9758a747082dad751164bf\asecpp70.exe
    uRun: [Ghalicogo] rundll32.exe "c:\users\nickdoom\appdata\local\amanoguqutoqih.dll",Startup
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [<NO NAME>]
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [HostManager] c:\program files\common files\aol\1279125156\ee\AOLSoftware.exe
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\nickdoom\appdata\roaming\micros~1\windows\startm~1\programs\startup\antima~1.lnk - c:\users\nickdoom\appdata\roaming\20fc2a43ad9758a747082dad751164bf\asecpp70.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{02AE3C2F-D449-4630-A748-BADB87151429} : DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{0EA7A9BF-2BC1-4672-A3E7-1F175D46ADDB} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{11C913DA-57EA-434A-A588-95377F66B03D} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{D83472D3-BDCA-4CF0-95F1-36FE3B78F497} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{EB693D5B-957F-45C6-BB67-2388606067D9} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
    FF - component: c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\users\nickdoom\program files\dna\plugins\npbtdna.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-22 64512]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-4 172032]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-3 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-3 144704]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-3 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-3 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-3 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-3 40552]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
    S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
    S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-3 34248]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-7-26 256000]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-11-23 22:26:14 388096 ----a-r- c:\users\nickdoom\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-23 22:26:12 -------- d-----w- c:\program files\Trend Micro
    2011-11-23 21:44:16 -------- d-----w- c:\users\nickdoom\appdata\local\{5336C1BC-9C19-4A1C-94FD-C3ECED496BAF}
    2011-11-23 21:43:48 -------- d-----w- c:\users\nickdoom\appdata\local\{BF0AB23C-1F04-453F-846C-82DC67AC5E64}
    2011-11-23 03:36:55 -------- d-----w- c:\users\nickdoom\appdata\local\{1F5C8C4F-616B-4FB4-8C01-70605BFC54E7}
    2011-11-23 03:36:30 -------- d-----w- c:\users\nickdoom\appdata\local\{A3F7A96C-AC42-4496-A3F2-7CDC1D3F83CF}
    2011-11-21 04:18:52 -------- d-----w- c:\users\nickdoom\appdata\local\{E2E60203-4E75-46FE-B078-0BF4572A9314}
    2011-11-16 03:18:22 -------- d-----w- c:\users\nickdoom\appdata\local\{5BCE6413-8486-4B10-96F5-2CA76D213EA2}
    2011-11-16 03:17:57 -------- d-----w- c:\users\nickdoom\appdata\local\{0D53AE09-C23A-4C40-B6FF-639D5BF88F67}
    2011-11-14 04:31:10 -------- d-----w- c:\users\nickdoom\appdata\local\adaware
    2011-11-14 04:31:09 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2011-11-14 04:31:07 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-14 04:30:58 -------- d-----w- c:\program files\adawaretb
    2011-11-13 21:32:43 -------- d-----w- c:\users\nickdoom\appdata\local\{8A8B49EF-BEB2-436A-96C9-DEE877DB9EE9}
    2011-11-13 21:32:22 -------- d-----w- c:\users\nickdoom\appdata\local\{67F8018F-3694-4A6A-94DD-68E52279DC65}
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root\CPUThermometer
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\Framework
    2011-11-12 22:32:04 -------- d-----w- c:\users\nickdoom\appdata\local\{92AD70C2-BC8C-402B-864E-54CA1B92450B}
    2011-11-12 22:31:51 -------- d-----w- c:\users\nickdoom\appdata\local\{46736FE3-BE61-45E8-A3CE-E65114767559}
    2011-11-11 04:18:04 -------- d-----w- c:\users\nickdoom\appdata\local\{3C716C91-798B-4DF5-BAA2-71E624E64A0C}
    2011-11-11 04:17:42 -------- d-----w- c:\users\nickdoom\appdata\local\{AB9EEEE9-2447-4CDE-BED9-5002AA419604}
    2011-11-09 00:20:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-11-09 00:20:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 00:20:03 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-06 22:09:09 -------- d-----w- c:\users\nickdoom\appdata\local\{87ACB87B-A773-4E5C-80AC-DC3D3541FF0A}
    2011-11-06 22:08:46 -------- d-----w- c:\users\nickdoom\appdata\local\{C1BEB84B-23E5-42A1-9498-9AD8DA17844A}
    2011-11-05 22:06:28 -------- d-----w- c:\users\nickdoom\appdata\local\{CEB9D594-4AD7-4343-AAF7-F51B2B06DEC4}
    2011-11-05 22:06:13 -------- d-----w- c:\users\nickdoom\appdata\local\{205EF658-F314-4130-8F54-14D67F70D77D}
    2011-11-04 02:26:57 -------- d-----w- c:\users\nickdoom\appdata\local\{DE1077C4-0CBE-4B57-A630-695E19761211}
    2011-11-04 02:26:30 -------- d-----w- c:\users\nickdoom\appdata\local\{6E56EE3F-93C9-4EC9-9772-01E1CE0FAC29}
    2011-11-02 23:02:06 -------- d-----w- c:\users\nickdoom\appdata\local\{379B4557-997B-464C-92E5-130DFF8E813C}
    2011-11-02 23:01:45 -------- d-----w- c:\users\nickdoom\appdata\local\{3FC639BB-545F-4C3F-9776-6D2E0EDDCB04}
    2011-10-31 23:11:18 -------- d-----w- c:\users\nickdoom\appdata\local\{DF9A9025-B5DF-4F4D-BD9D-1D089A01191C}
    2011-10-31 23:10:55 -------- d-----w- c:\users\nickdoom\appdata\local\{59612F11-9537-47FC-9301-CC5410A3B840}
    2011-10-30 19:53:07 -------- d-----w- c:\users\nickdoom\appdata\local\{4AE522F9-59D4-41A0-8D3F-B2CFAFA22918}
    2011-10-30 19:52:44 -------- d-----w- c:\users\nickdoom\appdata\local\{1FFAB5CE-80D7-41B3-9AB4-346A21425B4F}
    2011-10-27 23:14:47 -------- d-----w- c:\users\nickdoom\appdata\local\{1A9C9CA0-7929-42D6-AE42-00683888D1DD}
    2011-10-27 23:14:35 -------- d-----w- c:\users\nickdoom\appdata\local\{63D8F5F1-04B6-42B7-85AC-D085F8189809}
    2011-10-26 23:16:51 -------- d-----w- c:\users\nickdoom\appdata\local\{4873E85C-FA68-4442-8B35-26AFB0B5ED0A}
    2011-10-26 23:16:24 -------- d-----w- c:\users\nickdoom\appdata\local\{B84DD4D0-E649-4AA7-A515-DF2EC5A1B121}
    .
    ==================== Find3M ====================
    .
    2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-10-27 23:21:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-22 19:08:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-09-02 13:39:07 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 17:28:17.73 ===============









    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-23 17:34:42
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0
    Running: 5qm21o1l.exe; Driver: C:\Users\Nickdoom\AppData\Local\Temp\kxtdqpoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F81A79E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F81A738]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F81A74C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F81A7DC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F81A81F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F81A710]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F81A724]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F81A7B2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F81A847]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F81A833]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F81A78A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F81A776]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F81A80B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F81A7F2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F81A7C8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F81A762]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor \Device\Ide\iaStor0 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1Port2Path0Target0Lun0 87397500
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1 87397500
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1Port2Path0Target1Lun0 87397500
    Device \FileSystem\Ntfs \Ntfs 84B921F8

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\fastfat \Fat 884371F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
  3. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
  4. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
  5. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
  6. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
  7. Larusso

    Larusso Malware Specialist

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hy
    my name is Daniel and I will be assisting you with your Malware related problems.

    Before we move on, please read the following points carefully.
    • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
    • Perform everything in the correct order. Sometimes one step requires the previous one.
    • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
    • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
    • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
    • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
    • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
    • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



    Please launch DDS
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop and post both in your next reply



    Double click GMER.exe.
    • If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



    Please post in your next reply
    dds.txt
    attach.txt
     
  8. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
    Requested logs below:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_29
    Run by Nickdoom at 21:12:45 on 2011-12-03
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1314 [GMT -5:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Nickdoom\Downloads\CPU Thermometer\CPUThermometer.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\AOL\1279125156\ee\aolsoftware.exe
    C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\Nickdoom\Program Files\DNA\btdna.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080723
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080723
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    uRun: [DW6]
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [BitTorrent DNA] "c:\users\nickdoom\program files\dna\btdna.exe"
    uRun: [PlayNC Launcher]
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [xthrtelh] c:\users\nickdoom\appdata\local\chhwgcrgm\atinhvftssd.exe
    uRun: [XBV6RD5SZF] c:\users\nickdoom\appdata\local\temp\Fdd.exe
    uRun: [Skype] "c:\users\nickdoom\appdata\roaming\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SvrWsc] "c:\users\nickdoom\appdata\roaming\svrwsc.exe"
    uRun: [Gkacowuwuqe] rundll32.exe "c:\users\nickdoom\appdata\local\rsLEV2.dll",Startup
    uRun: [asecpp70.exe] c:\users\nickdoom\appdata\roaming\20fc2a43ad9758a747082dad751164bf\asecpp70.exe
    uRun: [Ghalicogo] rundll32.exe "c:\users\nickdoom\appdata\local\amanoguqutoqih.dll",Startup
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [<NO NAME>]
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [HostManager] c:\program files\common files\aol\1279125156\ee\AOLSoftware.exe
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\nickdoom\appdata\roaming\micros~1\windows\startm~1\programs\startup\antima~1.lnk - c:\users\nickdoom\appdata\roaming\20fc2a43ad9758a747082dad751164bf\asecpp70.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{02AE3C2F-D449-4630-A748-BADB87151429} : DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{0EA7A9BF-2BC1-4672-A3E7-1F175D46ADDB} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{11C913DA-57EA-434A-A588-95377F66B03D} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{D83472D3-BDCA-4CF0-95F1-36FE3B78F497} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{EB693D5B-957F-45C6-BB67-2388606067D9} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
    FF - component: c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071500000347.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\users\nickdoom\appdata\roaming\move networks\plugins\npqmp071505000011.dll
    FF - plugin: c:\users\nickdoom\program files\dna\plugins\npbtdna.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-22 64512]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-4 172032]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-3 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-3 144704]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-3 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-3 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-3 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-3 40552]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
    S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
    S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-3 34248]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-7-26 256000]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-04 00:29:22 -------- d-----w- c:\users\nickdoom\appdata\local\{CB426B25-2C49-4F2B-9CCC-B1F108D428CD}
    2011-12-04 00:28:58 -------- d-----w- c:\users\nickdoom\appdata\local\{8730FB77-87BE-4CFB-8CF3-9A08DE3C0A9B}
    2011-12-03 20:07:20 100864 ----a-w- C:\kxtdqpoc.sys
    2011-12-03 00:27:37 -------- d-----w- c:\users\nickdoom\appdata\local\{CAE20F3C-52FE-43DC-A57C-E2CCE230E6B1}
    2011-12-03 00:27:15 -------- d-----w- c:\users\nickdoom\appdata\local\{3AEC79CB-B218-480B-8C4C-E49D7B039EB4}
    2011-12-02 00:53:47 -------- d-----w- c:\users\nickdoom\appdata\local\{8DF035B3-EAA0-4876-9166-6D7258D14C6A}
    2011-12-02 00:53:24 -------- d-----w- c:\users\nickdoom\appdata\local\{6BA138F8-8F94-4A19-B798-DBB65EF97EEE}
    2011-11-29 02:45:56 -------- d-----w- c:\users\nickdoom\appdata\local\{8A1F0941-1D6D-48FF-AEC7-907B152EA413}
    2011-11-29 02:45:34 -------- d-----w- c:\users\nickdoom\appdata\local\{45B9429B-C4C0-4F5A-BBA1-D5DCECC8459A}
    2011-11-25 21:37:47 -------- d-----w- c:\users\nickdoom\appdata\local\{7F33F482-479C-410C-9C04-D9F8EE385E15}
    2011-11-25 21:37:26 -------- d-----w- c:\users\nickdoom\appdata\local\{C314A468-E13B-4841-B273-E9FBF009BFDB}
    2011-11-24 20:54:17 -------- d-----w- c:\users\nickdoom\appdata\local\{D6988338-EFD2-42F6-A055-3D7A0537412F}
    2011-11-24 20:53:55 -------- d-----w- c:\users\nickdoom\appdata\local\{6159DE17-8DB5-4C8F-89A6-B91755BA5D08}
    2011-11-23 22:26:14 388096 ----a-r- c:\users\nickdoom\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-23 22:26:12 -------- d-----w- c:\program files\Trend Micro
    2011-11-23 21:44:16 -------- d-----w- c:\users\nickdoom\appdata\local\{5336C1BC-9C19-4A1C-94FD-C3ECED496BAF}
    2011-11-23 21:43:48 -------- d-----w- c:\users\nickdoom\appdata\local\{BF0AB23C-1F04-453F-846C-82DC67AC5E64}
    2011-11-23 03:36:55 -------- d-----w- c:\users\nickdoom\appdata\local\{1F5C8C4F-616B-4FB4-8C01-70605BFC54E7}
    2011-11-23 03:36:30 -------- d-----w- c:\users\nickdoom\appdata\local\{A3F7A96C-AC42-4496-A3F2-7CDC1D3F83CF}
    2011-11-21 04:18:52 -------- d-----w- c:\users\nickdoom\appdata\local\{E2E60203-4E75-46FE-B078-0BF4572A9314}
    2011-11-16 03:18:22 -------- d-----w- c:\users\nickdoom\appdata\local\{5BCE6413-8486-4B10-96F5-2CA76D213EA2}
    2011-11-16 03:17:57 -------- d-----w- c:\users\nickdoom\appdata\local\{0D53AE09-C23A-4C40-B6FF-639D5BF88F67}
    2011-11-14 04:31:10 -------- d-----w- c:\users\nickdoom\appdata\local\adaware
    2011-11-14 04:31:09 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2011-11-14 04:31:07 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-14 04:30:58 -------- d-----w- c:\program files\adawaretb
    2011-11-13 21:32:43 -------- d-----w- c:\users\nickdoom\appdata\local\{8A8B49EF-BEB2-436A-96C9-DEE877DB9EE9}
    2011-11-13 21:32:22 -------- d-----w- c:\users\nickdoom\appdata\local\{67F8018F-3694-4A6A-94DD-68E52279DC65}
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root\CPUThermometer
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\Framework
    2011-11-12 22:32:04 -------- d-----w- c:\users\nickdoom\appdata\local\{92AD70C2-BC8C-402B-864E-54CA1B92450B}
    2011-11-12 22:31:51 -------- d-----w- c:\users\nickdoom\appdata\local\{46736FE3-BE61-45E8-A3CE-E65114767559}
    2011-11-11 04:18:04 -------- d-----w- c:\users\nickdoom\appdata\local\{3C716C91-798B-4DF5-BAA2-71E624E64A0C}
    2011-11-11 04:17:42 -------- d-----w- c:\users\nickdoom\appdata\local\{AB9EEEE9-2447-4CDE-BED9-5002AA419604}
    2011-11-09 00:20:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-11-09 00:20:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 00:20:03 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-06 22:09:09 -------- d-----w- c:\users\nickdoom\appdata\local\{87ACB87B-A773-4E5C-80AC-DC3D3541FF0A}
    2011-11-06 22:08:46 -------- d-----w- c:\users\nickdoom\appdata\local\{C1BEB84B-23E5-42A1-9498-9AD8DA17844A}
    2011-11-05 22:06:28 -------- d-----w- c:\users\nickdoom\appdata\local\{CEB9D594-4AD7-4343-AAF7-F51B2B06DEC4}
    2011-11-05 22:06:13 -------- d-----w- c:\users\nickdoom\appdata\local\{205EF658-F314-4130-8F54-14D67F70D77D}
    2011-11-04 02:26:57 -------- d-----w- c:\users\nickdoom\appdata\local\{DE1077C4-0CBE-4B57-A630-695E19761211}
    2011-11-04 02:26:30 -------- d-----w- c:\users\nickdoom\appdata\local\{6E56EE3F-93C9-4EC9-9772-01E1CE0FAC29}
    .
    ==================== Find3M ====================
    .
    2011-11-30 00:20:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-10-22 19:08:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 21:14:06.06 ===============














    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-23 17:34:42
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0
    Running: 5qm21o1l.exe; Driver: C:\Users\Nickdoom\AppData\Local\Temp\kxtdqpoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F81A79E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F81A738]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F81A74C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F81A7DC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F81A81F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F81A710]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F81A724]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F81A7B2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F81A847]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F81A833]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F81A78A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F81A776]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F81A80B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F81A7F2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F81A7C8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F81A762]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor \Device\Ide\iaStor0 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8A2A4580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1Port2Path0Target0Lun0 87397500
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1 87397500
    Device \Driver\aceiqetc \Device\Scsi\aceiqetc1Port2Path0Target1Lun0 87397500
    Device \FileSystem\Ntfs \Ntfs 84B921F8

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\fastfat \Fat 884371F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  9. Larusso

    Larusso Malware Specialist

    Joined:
    Aug 9, 2011
    Messages:
    808
    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT- Save ComboFix.exe to your Desktop

    ====================================================


    Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


    ====================================================


    Double click on combofix.exe & follow the prompts.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

    *Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.



    Please post in your next reply
    Combofix.txt
     
  10. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
    Requested log below:



    ComboFix 11-12-04.03 - Nickdoom 12/04/2011 14:29:17.1.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1886 [GMT -5:00]
    Running from: c:\users\Nickdoom\Downloads\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\users\Nickdoom\AppData\Roaming\Adobe\plugs
    c:\users\Nickdoom\AppData\Roaming\Adobe\shed
    c:\users\Nickdoom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
    c:\users\Nickdoom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk
    c:\windows\system32\1318cb2a.dll
    c:\windows\system32\133059b4.dll
    c:\windows\system32\14fb76fc.dll
    c:\windows\system32\18dd2a7f.dll
    c:\windows\system32\1e48110.dll
    c:\windows\system32\1f73edcd.dll
    c:\windows\system32\1fc92ab.dll
    c:\windows\system32\209d6455.dll
    c:\windows\system32\22332438.dll
    c:\windows\system32\22409cd8.dll
    c:\windows\system32\27616a0.dll
    c:\windows\system32\2854c3d0.dll
    c:\windows\system32\2ab2d0a0.dll
    c:\windows\system32\2b644c02.dll
    c:\windows\system32\2cdbb8b.dll
    c:\windows\system32\2f0bb560.dll
    c:\windows\system32\30b10b2a.dll
    c:\windows\system32\33c97a10.dll
    c:\windows\system32\43d7aa8.dll
    c:\windows\system32\59cdeeb.dll
    c:\windows\system32\5b4a4bc.dll
    c:\windows\system32\5cd4d4d.dll
    c:\windows\system32\679a901.dll
    c:\windows\system32\7ae6d6e.dll
    c:\windows\system32\83b652a.dll
    c:\windows\system32\987d7d0.dll
    c:\windows\system32\aa3f8e9.dll
    c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-04 19:36 . 2011-12-04 19:36 -------- d-----w- c:\users\Kayla\AppData\Local\temp
    2011-12-04 19:36 . 2011-12-04 19:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-03 20:07 . 2011-12-03 20:07 100864 ----a-w- C:\kxtdqpoc.sys
    2011-11-26 22:44 . 2011-11-26 22:47 -------- d-----w- c:\users\Kayla\AppData\Local\adaware
    2011-11-23 22:26 . 2011-11-23 22:26 388096 ----a-r- c:\users\Nickdoom\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-23 22:26 . 2011-11-23 22:26 -------- d-----w- c:\program files\Trend Micro
    2011-11-14 04:31 . 2011-11-14 04:31 -------- d-----w- c:\users\Nickdoom\AppData\Local\adaware
    2011-11-14 04:31 . 2011-12-04 19:24 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2011-11-14 04:31 . 2011-11-14 04:31 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-14 04:30 . 2011-11-14 04:31 -------- d-----w- c:\program files\adawaretb
    2011-11-12 22:36 . 2011-11-12 22:36 -------- d-----w- c:\windows\system32\wbem\Framework
    2011-11-09 00:20 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-11-09 00:20 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 00:20 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-30 00:20 . 2011-05-19 23:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 17:06 . 2011-10-22 19:07 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-10-22 19:08 . 2011-10-22 21:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-10-03 10:06 . 2010-07-14 02:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-06 13:30 . 2011-10-15 15:26 2043392 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "BitTorrent DNA"="c:\users\Nickdoom\Program Files\DNA\btdna.exe" [2009-10-15 323392]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-07-09 36352]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-12 405504]
    "HostManager"="c:\program files\Common Files\AOL\1279125156\ee\AOLSoftware.exe" [2010-03-08 41800]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-07-23 00:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-02-06 18:17 3325952 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2008-07-23 00:27 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2011-05-13 20:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-07-31 01:29 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-05-14 309744]
    R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-05-14 166384]
    R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
    R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
    R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\WUSB54GCx86.sys [2007-03-12 256000]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-08-02 3732680]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-05-14 1120752]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-11-03 64512]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-01-24 717296]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-11-03 2152152]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-11-03 15232]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    FF - ProfilePath - c:\users\Nickdoom\AppData\Roaming\Mozilla\Firefox\Profiles\yhf39qsn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-DW6 - (no file)
    HKCU-Run-PlayNC Launcher - (no file)
    HKCU-Run-xthrtelh - c:\users\Nickdoom\AppData\Local\chhwgcrgm\atinhvftssd.exe
    HKCU-Run-Skype - c:\users\Nickdoom\AppData\Roaming\Skype\Phone\Skype.exe
    HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
    HKCU-Run-SvrWsc - c:\users\Nickdoom\AppData\Roaming\svrwsc.exe
    HKCU-Run-Gkacowuwuqe - c:\users\Nickdoom\AppData\Local\rsLEV2.dll
    HKCU-Run-asecpp70.exe - c:\users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\asecpp70.exe
    HKCU-Run-Ghalicogo - c:\users\Nickdoom\AppData\Local\amanoguqutoqih.dll
    HKLM-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
    MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1218000621\ee\AOLSoftware.exe
    MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    AddRemove-Belarc Advisor - c:\progra~1\Belarc\Advisor\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-04 14:37
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2454977157-4142654921-3647568439-1000\Software\SecuROM\License information*]
    "datasecu"=hex:c0,60,e6,2f,d6,16,71,cf,08,16,92,50,2d,ee,cb,46,21,30,fc,6c,e6,
    8c,df,a3,ff,56,f6,ac,af,2f,4c,0d,4a,2f,b6,e7,23,2b,f7,6a,50,c2,20,40,14,37,\
    "rkeysecu"=hex:d1,20,b1,b2,fe,e0,da,38,ae,4c,62,7c,8c,f3,ec,a8
    .
    Completion time: 2011-12-04 14:39:40
    ComboFix-quarantined-files.txt 2011-12-04 19:39
    .
    Pre-Run: 57,707,315,200 bytes free
    Post-Run: 57,715,556,352 bytes free
    .
    - - End Of File - - 3BC0397D587620EB9E24717A6AD079EC
     
  11. Larusso

    Larusso Malware Specialist

    Joined:
    Aug 9, 2011
    Messages:
    808
    Download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Save it to your desktop.
    Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.



    Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click Start
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
    • Copy and paste that log in your next reply.



    Please launch DDS
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop and post both in your next reply



    Please post in your next reply
    MBAM Log
    log.txt
    dds.txt
    attach.txt
    Note any open issues
     
  12. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
    Below are the requested logs, although the ESET scan (run twice) did not log properly either time.


    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8320

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    12/5/2011 10:14:33 PM
    mbam-log-2011-12-05 (22-14-33).txt

    Scan type: Quick scan
    Objects scanned: 189430
    Time elapsed: 5 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\209K1I9HN8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XBV6RD5SZF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    The ESET log file:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK

    I did however copy the results of infected files to clipboard for review (4 infected files):

    C:\Users\Nickdoom\AppData\LocalLow\MyWebSearch\bar\setups\mwsautSp.exe a variant of Win32/Toolbar.MyWebSearch.K application
    C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Users\Nickdoom\Downloads\cbbleepingregistrybooster.exe a variant of Win32/RegistryBooster application




    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_29
    Run by Nickdoom at 7:27:57 on 2011-12-06
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1666 [GMT -5:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Program Files\Common Files\AOL\1279125156\ee\aolsoftware.exe
    C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\Nickdoom\Program Files\DNA\btdna.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\program files\aim toolbar\aimtbServer.exe
    c:\program files\aol toolbar\aoltbServer.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.aol.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
    mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111204150538.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
    TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [BitTorrent DNA] "c:\users\nickdoom\program files\dna\btdna.exe"
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [HostManager] c:\program files\common files\aol\1279125156\ee\AOLSoftware.exe
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{02AE3C2F-D449-4630-A748-BADB87151429} : DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    TCP: Interfaces\{0EA7A9BF-2BC1-4672-A3E7-1F175D46ADDB} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{11C913DA-57EA-434A-A588-95377F66B03D} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{D83472D3-BDCA-4CF0-95F1-36FE3B78F497} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    TCP: Interfaces\{EB693D5B-957F-45C6-BB67-2388606067D9} : DhcpNameServer = 66.189.0.29 66.189.0.30 66.189.0.5
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
    FF - component: c:\users\nickdoom\appdata\roaming\mozilla\firefox\profiles\yhf39qsn.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\users\nickdoom\program files\dna\plugins\npbtdna.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-22 64512]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 459728]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-12-4 64584]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-12-4 165032]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-4 172032]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-4 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-4 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-4 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-4 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-4 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-4 148520]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-4 56064]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-3 153280]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-3 52320]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-4 314088]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
    S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
    S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-4 84488]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-3 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-3 40552]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-7-26 256000]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-06 03:18:00 -------- d-----w- c:\program files\ESET
    2011-12-06 03:06:36 -------- d-----w- c:\users\nickdoom\appdata\roaming\Malwarebytes
    2011-12-06 03:06:23 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-06 03:06:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-06 03:06:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-04 21:44:16 5174 ----a-w- c:\windows\system32\nppt9x.vxd
    2011-12-04 21:44:16 4682 ----a-w- c:\windows\system32\npptNT2.sys
    2011-12-04 20:05:38 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    2011-12-04 20:05:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-04 20:05:31 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-04 20:05:31 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-12-04 20:05:31 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-04 20:05:31 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-04 20:05:31 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-12-04 20:05:26 -------- d-----w- c:\program files\McAfee.com
    2011-12-04 20:05:26 -------- d-----w- c:\program files\common files\Mcafee
    2011-12-04 20:05:24 -------- d-----w- c:\program files\McAfee
    2011-12-04 20:01:19 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-04 19:39:50 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-04 19:25:54 -------- d-----w- C:\ComboFix
    2011-12-04 19:16:16 208896 ----a-w- c:\windows\MBR.exe
    2011-12-04 19:16:13 98816 ----a-w- c:\windows\sed.exe
    2011-12-04 19:16:13 518144 ----a-w- c:\windows\SWREG.exe
    2011-12-04 19:16:13 256000 ----a-w- c:\windows\PEV.exe
    2011-12-04 19:06:06 -------- d-----w- c:\users\nickdoom\appdata\local\{F099D2DB-38C0-4A3A-9231-E7BD2E804EC4}
    2011-12-04 19:05:43 -------- d-----w- c:\users\nickdoom\appdata\local\{C78DB8C4-C07A-4B4E-AA79-BFA0EAE532E6}
    2011-12-04 00:29:22 -------- d-----w- c:\users\nickdoom\appdata\local\{CB426B25-2C49-4F2B-9CCC-B1F108D428CD}
    2011-12-04 00:28:58 -------- d-----w- c:\users\nickdoom\appdata\local\{8730FB77-87BE-4CFB-8CF3-9A08DE3C0A9B}
    2011-12-03 20:07:20 100864 ----a-w- C:\kxtdqpoc.sys
    2011-12-03 00:27:37 -------- d-----w- c:\users\nickdoom\appdata\local\{CAE20F3C-52FE-43DC-A57C-E2CCE230E6B1}
    2011-12-03 00:27:15 -------- d-----w- c:\users\nickdoom\appdata\local\{3AEC79CB-B218-480B-8C4C-E49D7B039EB4}
    2011-12-02 00:53:47 -------- d-----w- c:\users\nickdoom\appdata\local\{8DF035B3-EAA0-4876-9166-6D7258D14C6A}
    2011-12-02 00:53:24 -------- d-----w- c:\users\nickdoom\appdata\local\{6BA138F8-8F94-4A19-B798-DBB65EF97EEE}
    2011-11-29 02:45:56 -------- d-----w- c:\users\nickdoom\appdata\local\{8A1F0941-1D6D-48FF-AEC7-907B152EA413}
    2011-11-29 02:45:34 -------- d-----w- c:\users\nickdoom\appdata\local\{45B9429B-C4C0-4F5A-BBA1-D5DCECC8459A}
    2011-11-25 21:37:47 -------- d-----w- c:\users\nickdoom\appdata\local\{7F33F482-479C-410C-9C04-D9F8EE385E15}
    2011-11-25 21:37:26 -------- d-----w- c:\users\nickdoom\appdata\local\{C314A468-E13B-4841-B273-E9FBF009BFDB}
    2011-11-24 20:54:17 -------- d-----w- c:\users\nickdoom\appdata\local\{D6988338-EFD2-42F6-A055-3D7A0537412F}
    2011-11-24 20:53:55 -------- d-----w- c:\users\nickdoom\appdata\local\{6159DE17-8DB5-4C8F-89A6-B91755BA5D08}
    2011-11-23 22:26:14 388096 ----a-r- c:\users\nickdoom\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-23 22:26:12 -------- d-----w- c:\program files\Trend Micro
    2011-11-23 21:44:16 -------- d-----w- c:\users\nickdoom\appdata\local\{5336C1BC-9C19-4A1C-94FD-C3ECED496BAF}
    2011-11-23 21:43:48 -------- d-----w- c:\users\nickdoom\appdata\local\{BF0AB23C-1F04-453F-846C-82DC67AC5E64}
    2011-11-23 03:36:55 -------- d-----w- c:\users\nickdoom\appdata\local\{1F5C8C4F-616B-4FB4-8C01-70605BFC54E7}
    2011-11-23 03:36:30 -------- d-----w- c:\users\nickdoom\appdata\local\{A3F7A96C-AC42-4496-A3F2-7CDC1D3F83CF}
    2011-11-21 04:18:52 -------- d-----w- c:\users\nickdoom\appdata\local\{E2E60203-4E75-46FE-B078-0BF4572A9314}
    2011-11-16 03:18:22 -------- d-----w- c:\users\nickdoom\appdata\local\{5BCE6413-8486-4B10-96F5-2CA76D213EA2}
    2011-11-16 03:17:57 -------- d-----w- c:\users\nickdoom\appdata\local\{0D53AE09-C23A-4C40-B6FF-639D5BF88F67}
    2011-11-14 04:31:10 -------- d-----w- c:\users\nickdoom\appdata\local\adaware
    2011-11-14 04:31:09 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2011-11-14 04:31:07 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-14 04:30:58 -------- d-----w- c:\program files\adawaretb
    2011-11-13 21:32:43 -------- d-----w- c:\users\nickdoom\appdata\local\{8A8B49EF-BEB2-436A-96C9-DEE877DB9EE9}
    2011-11-13 21:32:22 -------- d-----w- c:\users\nickdoom\appdata\local\{67F8018F-3694-4A6A-94DD-68E52279DC65}
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root\CPUThermometer
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\framework\root
    2011-11-12 22:36:51 -------- d-----w- c:\windows\system32\wbem\Framework
    2011-11-12 22:32:04 -------- d-----w- c:\users\nickdoom\appdata\local\{92AD70C2-BC8C-402B-864E-54CA1B92450B}
    2011-11-12 22:31:51 -------- d-----w- c:\users\nickdoom\appdata\local\{46736FE3-BE61-45E8-A3CE-E65114767559}
    2011-11-11 04:18:04 -------- d-----w- c:\users\nickdoom\appdata\local\{3C716C91-798B-4DF5-BAA2-71E624E64A0C}
    2011-11-11 04:17:42 -------- d-----w- c:\users\nickdoom\appdata\local\{AB9EEEE9-2447-4CDE-BED9-5002AA419604}
    2011-11-09 00:20:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-11-09 00:20:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 00:20:03 707584 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-06 22:09:09 -------- d-----w- c:\users\nickdoom\appdata\local\{87ACB87B-A773-4E5C-80AC-DC3D3541FF0A}
    2011-11-06 22:08:46 -------- d-----w- c:\users\nickdoom\appdata\local\{C1BEB84B-23E5-42A1-9498-9AD8DA17844A}
    .
    ==================== Find3M ====================
    .
    2011-11-30 00:20:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-10-22 19:08:28 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 7:28:57.67 ===============




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 7/22/2008 4:15:19 PM
    System Uptime: 12/5/2011 9:55:10 PM (10 hours ago)
    .
    Motherboard: Dell Inc. | | 0TP406
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | CPU | 2394/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 283 GiB total, 53.049 GiB free.
    D: is FIXED (NTFS) - 15 GiB total, 10.576 GiB free.
    E: is CDROM ()
    G: is CDROM ()
    H: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP874: 12/3/2011 8:26:58 PM - Scheduled Checkpoint
    RP875: 12/4/2011 2:19:11 PM - Removed RIFT
    RP876: 12/4/2011 3:05:39 PM - Device Driver Package Install: McAfee, Inc. Network Service
    RP877: 12/4/2011 3:10:58 PM - Removed Apple Software Update
    RP878: 12/6/2011 1:12:05 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Ad-Aware
    Ad-Aware Security Toolbar
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.3.1
    AIM 7
    AIM Toolbar
    AOL Mail and AIM Gadget
    AOL Toolbar
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Assassin's Creed
    Audiosurf
    Bonjour
    Browser Address Error Redirector
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center HydraVision Full
    ccc-core-static
    ccc-utility
    CCC Help English
    Compatibility Pack for the 2007 Office system
    D3DX10
    DAEMON Tools Toolbar
    Dead Space 2
    Dead Space™
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell Getting Started Guide
    Dell Support Center
    DirectXInstallService
    DNA
    Doom 3
    Download Manager 2.3.10
    Download Updater (AOL LLC)
    Driver Detective
    Driver Sweeper 2.0.5
    Dual-Core Optimizer
    Duke Nukem Forever
    EA Download Manager
    ESET Online Scanner v3
    Google Desktop
    GoToAssist 8.0.0.514
    Half-Life 2
    Hellgate: London
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections 12.1.12.4
    Java Auto Updater
    Java(TM) 6 Update 29
    Java(TM) 6 Update 5
    LimeWire 5.5.8
    Lineage II
    Linksys Compact Wireless-G USB Adapter Driver - WUSB54GC
    Logitech Gaming Software
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee SecurityCenter
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Mozilla Firefox (3.6.24)
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music, Photos & Videos Launcher
    NCsoft Launcher
    NVIDIA 3D Vision Driver 266.58
    NVIDIA Control Panel 266.58
    NVIDIA Graphics Driver 266.58
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    NVIDIA Stereoscopic 3D Driver
    OGA Notifier 2.0.0048.0
    Portal
    Portal 2
    Power Tab Editor 1.7
    Prey
    Product Documentation Launcher
    QuickTime
    RealPlayer
    Roxio Activation Module
    Roxio CinePlayer Decoder Pack
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Premier
    Roxio Creator Premier 10
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio Update Manager
    RTC Client API v1.2
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Segoe UI
    Skins
    StarCraft II
    Steam
    Uninstall AOL Emergency Connect Utility 1.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553092)
    Ventrilo Client
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Vuze
    WeatherBug
    Winamp
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR archiver
    XPS MiniView Gadget
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/5/2011 9:55:38 PM, Error: Service Control Manager [7000] - The SessionLauncher service failed to start due to the following error: The system cannot find the path specified.
    12/4/2011 2:37:04 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    12/4/2011 2:28:55 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    12/4/2011 2:05:20 PM, Error: Service Control Manager [7000] - The WinRing0_1_2_0 service failed to start due to the following error: The system cannot find the file specified.
    12/3/2011 7:27:42 PM, Error: EventLog [6008] - The previous system shutdown at 7:26:42 PM on 12/3/2011 was unexpected.
    12/3/2011 3:48:42 PM, Error: EventLog [6008] - The previous system shutdown at 3:47:15 PM on 12/3/2011 was unexpected.
    .
    ==== End Of File ===========================


    As of right now, I see no apparent symptoms, however the results of the ESET scan do concern me.
     
  13. Larusso

    Larusso Malware Specialist

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hy there,

    (y)


    Open notepad and copy/paste the text in the Code-box below into it:

    Code:
    File::
    C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\local.ini
    C:\Users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\enemies-names.txt
    
    Folder::
    C:\Users\Nickdoom\AppData\LocalLow\MyWebSearch
    
    • Save this as CFScript.txt, in the same location as ComboFix.exe.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe.
    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



    Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    There is a newer version of Adobe Acrobat Reader available.
    • Please go to this link Adobe Acrobat Reader Download Link
    • Untick Free McAfee® Security Scan Plus if you do not wish to include this in the installation.
    • Click Download
    • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
    • Click the Continue button
    • Click Run, and click Run again
    • Next click the Install Now button and follow the on screen prompts

    When the installation is complete go to Add/Remove Programs and uninstall all previous versions.



    Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):
    Java(TM) 6 Update 5



    I see you have P2P ( peer to peer ) software installed on your machine ( In your case LimeWire ). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    References for the risk of these programs are here , here and here.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.



    Any reasons that you are using an very outdated version of Firefox ? Currently we are at Version 8.0




    Please launch DDS
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop and post both in your next reply



    Please post in your next reply
    Combofix.txt
    dds.txt
    attach.txt
    Note any open issues
     
  14. Nickdoom1

    Nickdoom1 Thread Starter

    Joined:
    Jun 11, 2011
    Messages:
    28
    ComboFix 11-12-08.01 - Nickdoom 12/08/2011 22:21:47.2.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1990 [GMT -5:00]
    Running from: c:\users\Nickdoom\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nickdoom\Desktop\CFScript.txt.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\enemies-names.txt"
    "c:\users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\local.ini"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Nickdoom\AppData\LocalLow\MyWebSearch
    c:\users\Nickdoom\AppData\LocalLow\MyWebSearch\bar\setups\mwsautSp.exe
    c:\users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\enemies-names.txt
    c:\users\Nickdoom\AppData\Roaming\20FC2A43AD9758A747082DAD751164BF\local.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-09 03:29 . 2011-12-09 03:29 -------- d-----w- c:\users\Kayla\AppData\Local\temp
    2011-12-09 03:29 . 2011-12-09 03:29 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-06 03:18 . 2011-12-06 03:18 -------- d-----w- c:\program files\ESET
    2011-12-06 03:06 . 2011-12-06 03:06 -------- d-----w- c:\users\Nickdoom\AppData\Roaming\Malwarebytes
    2011-12-06 03:06 . 2011-12-06 03:06 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-06 03:06 . 2011-12-06 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-06 03:06 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-04 20:05 . 2011-04-14 19:01 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
    2011-12-04 20:05 . 2011-04-14 19:01 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-04 20:05 . 2011-04-14 19:01 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-04 20:05 . 2011-04-14 19:01 64584 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-12-04 20:05 . 2011-04-14 19:01 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-04 20:05 . 2011-04-14 19:01 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-04 20:05 . 2011-04-14 19:01 165032 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-12-04 20:05 . 2011-12-04 20:06 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-12-04 20:05 . 2011-12-06 02:55 -------- d-----w- c:\program files\McAfee
    2011-12-04 20:01 . 2011-03-13 16:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-03 20:07 . 2011-12-03 20:07 100864 ----a-w- C:\kxtdqpoc.sys
    2011-11-26 22:44 . 2011-11-26 22:47 -------- d-----w- c:\users\Kayla\AppData\Local\adaware
    2011-11-23 22:26 . 2011-11-23 22:26 388096 ----a-r- c:\users\Nickdoom\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-23 22:26 . 2011-11-23 22:26 -------- d-----w- c:\program files\Trend Micro
    2011-11-14 04:31 . 2011-11-14 04:31 -------- d-----w- c:\users\Nickdoom\AppData\Local\adaware
    2011-11-14 04:31 . 2011-12-09 00:33 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
    2011-11-14 04:31 . 2011-11-14 04:31 -------- d-----w- c:\program files\Toolbar Cleaner
    2011-11-14 04:30 . 2011-11-14 04:31 -------- d-----w- c:\program files\adawaretb
    2011-11-12 22:36 . 2011-11-12 22:36 -------- d-----w- c:\windows\system32\wbem\Framework
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-30 00:20 . 2011-05-19 23:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 17:06 . 2011-10-22 19:07 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-10-22 19:08 . 2011-10-22 21:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-10-03 10:06 . 2010-07-14 02:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-09-20 21:02 . 2011-11-09 00:20 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-04-14 19:01 . 2011-12-04 20:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
    .
    [HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
    "BitTorrent DNA"="c:\users\Nickdoom\Program Files\DNA\btdna.exe" [2009-10-15 323392]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-07-09 36352]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-12 405504]
    "HostManager"="c:\program files\Common Files\AOL\1279125156\ee\AOLSoftware.exe" [2010-03-08 41800]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-24 1195408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-07-23 00:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    2009-02-06 18:17 3325952 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2008-07-23 00:27 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2011-05-13 20:03 4283256 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-07-31 01:29 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-04-14 56064]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - Lavasoft Kernexplorer
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.aol.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53
    FF - ProfilePath - c:\users\Nickdoom\AppData\Roaming\Mozilla\Firefox\Profiles\yhf39qsn.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ff-aolTB50CL-ab-en-us&query=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-08 22:29
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2454977157-4142654921-3647568439-1000\Software\SecuROM\License information*]
    "datasecu"=hex:c0,60,e6,2f,d6,16,71,cf,08,16,92,50,2d,ee,cb,46,21,30,fc,6c,e6,
    8c,df,a3,ff,56,f6,ac,af,2f,4c,0d,4a,2f,b6,e7,23,2b,f7,6a,50,c2,20,40,14,37,\
    "rkeysecu"=hex:d1,20,b1,b2,fe,e0,da,38,ae,4c,62,7c,8c,f3,ec,a8
    .
    Completion time: 2011-12-08 22:31:35
    ComboFix-quarantined-files.txt 2011-12-09 03:31
    ComboFix2.txt 2011-12-04 19:39
    .
    Pre-Run: 76,963,323,904 bytes free
    Post-Run: 76,332,843,008 bytes free
    .
    - - End Of File - - DF35113AAF82BA8A3E76CC7D7A69EB5D


    I ran DDS multiple times but it doesn't seem to be opening any log.
    As for limewire, it's something i used seldom and havn't touched in over a year. I was actually surprised I even had it still installed.
     
  15. Larusso

    Larusso Malware Specialist

    Joined:
    Aug 9, 2011
    Messages:
    808
    Try to delete the current Version of DDS and download a new one from here
    here or here or here.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1028323