1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

TR/Spy.Ursnif.1 found in Avira. Need help ASAP.

Discussion in 'Virus & Other Malware Removal' started by BillHates, Apr 20, 2010.

Thread Status:
Not open for further replies.
  1. BillHates

    BillHates Thread Starter

    Joined:
    Aug 25, 2002
    Messages:
    275
    Just did a scan but this was a hidden files scan (scan before an actual scan). Came up that all my important exe/processes (such as explorer.exe and exe for my malware/anti-virus) were infected with TR/Spy.Ursnif.1 according to Avira Anti-Virus Free Edition. I aborted the scan because I didn't want to remove anything I shouldn't.

    Here's my HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:05:22 AM, on 4/20/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    D:\WINDOWS\system32\ezSP_Px.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NETGEAR\WAG511 Configuration Utility\wlancfgu.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Viewpoint\Common\ViewpointService.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    D:\Program Files\Avira\AntiVir Desktop\sched.exe
    D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    D:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    D:\WINDOWS\system32\dllhost.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unippm.co.uk/launchpage/UK/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - D:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - D:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [ezShieldProtector for Px] D:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: NETGEAR WG511U Smart Wizard.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - D:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{219E736C-DB38-4F20-94B3-4FE7D1292565}: NameServer = 192.168.0.1
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - D:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - D:\Program Files\Java\jre6\bin\jqs.exe" -service -config "D:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  2. BillHates

    BillHates Thread Starter

    Joined:
    Aug 25, 2002
    Messages:
    275
    Here's my combofix log...

    ComboFix 10-04-19.08 - Administrator 04/20/2010 15:55:30.2.1 - x86
    Running from: d:\documents and settings\Administrator\Desktop\ComboFix2.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Panda Antivirus Platinum 7 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
    FW: Panda Antivirus Platinum 7 *disabled* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
    .
    ADS - WINDOWS: deleted 24 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\resycled
    d:\documents and settings\Administrator\Application Data\Desktopicon
    d:\documents and settings\Administrator\Application Data\Desktopicon\eBay.ico
    d:\documents and settings\Administrator\Application Data\Desktopicon\uninst.exe
    d:\documents and settings\Administrator\Application Data\inst.exe
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome.manifest
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome\content\_cfg.js
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome\content\overlay.xul
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\install.rdf
    d:\recycler\S-1-5-21-1089850864-4006996682-2065273338-1005
    d:\recycler\S-1-5-21-343818398-507921405-1957994488-1003
    d:\windows\system32\dumphive.exe
    d:\windows\system32\Process.exe
    d:\windows\system32\SrchSTS.exe
    d:\windows\system32\tmp.reg
    d:\windows\system32\VCCLSID.exe
    d:\windows\system32\WS2Fix.exe

    d:\windows\system32\msgsvc.dll . . . is infected!!

    d:\windows\system32\calc.exe . . . is infected!!

    d:\windows\system32\mmc.exe . . . is infected!!

    d:\windows\system32\mstsc.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
    .

    2010-04-20 22:30 . 2010-04-20 22:31 -------- d-----w- D:\32788R22FWJFW
    2010-04-18 19:41 . 2010-04-13 00:29 411368 ----a-w- d:\windows\system32\deployJava1.dll
    2010-04-18 16:51 . 2010-03-30 07:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-18 16:49 . 2010-03-30 07:45 20824 ----a-w- d:\windows\system32\drivers\mbam.sys
    2010-04-18 16:49 . 2010-04-18 16:51 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2010-04-12 23:58 . 2010-04-12 23:58 0 ----a-w- d:\windows\Hxeheyegu.bin
    2010-04-12 23:58 . 2010-04-12 23:58 120 ----a-w- d:\windows\Rbebumamumu.dat
    2010-04-07 14:00 . 2010-04-07 14:00 -------- d-----w- d:\program files\iPod
    2010-04-07 14:00 . 2010-04-07 14:02 -------- d-----w- d:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-07 13:51 . 2010-04-07 13:52 -------- d-----w- d:\program files\QuickTime
    2010-04-07 13:40 . 2010-04-07 13:40 -------- d-----w- d:\program files\Bonjour
    2010-03-31 21:40 . 2010-03-31 21:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\Avira

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 19:23 . 2009-09-24 03:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Soulseek
    2010-04-18 19:52 . 2006-06-01 12:41 -------- d-----w- d:\program files\Java
    2010-04-18 19:03 . 2006-06-01 12:40 -------- d-----w- d:\program files\Common Files\Java
    2010-04-11 13:17 . 2009-02-01 19:00 181096 ----a-w- d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\FlashGot.exe
    2010-04-07 14:02 . 2010-02-07 19:13 -------- d-----w- d:\program files\iTunes
    2010-04-07 14:00 . 2007-11-22 05:57 -------- d-----w- d:\program files\Common Files\Apple
    2010-04-07 13:47 . 2006-11-05 03:57 -------- d-----w- d:\program files\Apple Software Update
    2010-04-06 23:15 . 2010-03-06 00:21 -------- d-----w- d:\documents and settings\Administrator\Application Data\dvdcss
    2010-04-06 23:13 . 2006-06-01 11:51 -------- d-----w- d:\documents and settings\All Users\Application Data\DVD Shrink
    2010-03-30 23:35 . 2008-01-31 07:58 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\windows\system32\drivers\pcouffin.sys
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\documents and settings\Administrator\Application Data\pcouffin.sys
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\documents and settings\Administrator\Application Data\pcouffin.sys
    2010-03-30 23:34 . 2010-03-12 14:26 -------- d-----w- d:\program files\DVDFab 7
    2010-03-26 08:48 . 2010-03-26 08:48 73000 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
    2010-03-26 04:49 . 2010-04-16 13:11 66048 ----a-w- d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
    2010-03-21 05:15 . 2010-02-15 06:48 -------- d-----w- d:\program files\Debugging Tools for Windows (x86)
    2010-03-13 13:53 . 2006-04-04 06:00 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-13 13:47 . 2009-08-05 09:44 -------- d-----w- d:\program files\Spybot - Search & Destroy
    2010-03-07 00:22 . 2010-03-07 00:22 -------- d-----w- d:\program files\Xilisoft
    2010-03-06 01:09 . 2009-09-03 09:50 -------- d-----w- d:\program files\Google
    2010-03-01 16:05 . 2010-02-15 09:55 124784 ----a-w- d:\windows\system32\drivers\avipbb.sys
    2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- d:\program files\Aimersoft
    2010-02-23 21:44 . 2009-08-08 00:34 -------- d-----w- d:\program files\Microsoft Silverlight
    2010-02-22 12:05 . 2010-02-22 12:05 -------- d-----w- d:\program files\Common Files\Windows Live
    2010-02-16 20:24 . 2010-02-15 09:55 60936 ----a-w- d:\windows\system32\drivers\avgntflt.sys
    2010-02-15 09:25 . 2009-02-28 14:20 0 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
    2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- d:\windows\system32\dnssd.dll
    2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- d:\windows\system32\dns-sd.exe
    2006-05-06 16:42 . 2006-11-06 02:22 7260160 ----a-w- d:\program files\mozilla firefox\plugins\libvlc.dll
    2007-11-22 09:26 . 2007-11-22 09:04 72 --sh--w- d:\windows\S523CC2AB.tmp
    2008-08-31 13:09 . 2008-08-31 13:09 56 --sh--r- d:\windows\system32\F8B1240F38.sys
    2008-08-31 13:09 . 2008-08-31 13:09 1682 --sha-w- d:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ezShieldProtector for Px"="d:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
    "avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="d:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG511U Smart Wizard.lnk - c:\program files\NETGEAR\WAG511 Configuration Utility\wlancfgu.exe [2006-4-4 503870]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @=""

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=d:\windows\pss\Adobe Gamma.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\FrostWire On Startup.lnk
    backup=d:\windows\pss\FrostWire On Startup.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
    backup=d:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    d:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 09:04 39792 ----a-w- d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 14:58 611712 ----a-w- d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-03-17 04:58 47392 ----a-w- d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    2003-06-13 21:48 28672 ----a-w- d:\windows\system32\Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2002-12-31 12:00 15360 ----a-w- d:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    2002-08-20 17:29 40960 ----a-w- d:\windows\system32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-03-26 04:27 49152 ----a-w- d:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-03-13 16:34 81920 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 08:10 142120 ----a-w- d:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
    2007-02-08 00:21 54832 ----a-w- d:\program files\CyberLink\PowerDVD\Language\Language.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2008-12-20 14:50 2656528 ----a-w- d:\program files\Logitech\QuickCam\Quickcam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M2SAtualiza]
    2008-04-25 04:49 90112 ----a-w- d:\program files\M2S\Instalação M2S\M2SAtualiza.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
    2009-10-13 00:51 692321 ----a-w- c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 18:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 18:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- d:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2007-02-08 00:24 71216 ------w- d:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-01-27 07:36 185896 ----a-w- d:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
    2009-10-26 07:33 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- d:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "d:\\Program Files\\SoulseekNS\\slsk.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "427:UDP"= 427:UDP:SLP_Port(427)
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R1 vcdrom;Virtual CD-ROM Device Driver;d:\windows\system32\drivers\VCdRom.sys [12/19/2001 11:45 AM 8576]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2/15/2010 2:55 AM 135336]
    R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/18/2010 9:51 AM 303952]
    R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;d:\windows\system32\DNINDIS5.sys [4/4/2006 12:29 AM 17149]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/18/2010 9:49 AM 20824]
    R3 wg51und5;NETGEAR WG511U Wireless Network Adapter Service;d:\windows\system32\drivers\wg51und5.sys [4/4/2006 12:29 AM 397152]
    S0 ntcdrdrv;ntcdrdrv;d:\windows\system32\DRIVERS\ntcdrdrv.sys --> d:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 2:50 AM 133104]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;d:\windows\system32\AWINDIS5.SYS [4/14/2009 9:05 PM 16194]
    S3 DCamUSBSony4;Sony Visual Communication Camera;d:\windows\system32\drivers\snyucam4.sys [6/1/2006 3:54 AM 424127]
    S3 DCamUSBSonyA4;Sony USB Microphone;d:\windows\system32\drivers\snyuflt4.sys [6/1/2006 3:54 AM 6019]
    S3 NUVision;NUVision Video Service;d:\windows\system32\drivers\NUVision.sys [6/27/2006 8:37 PM 135424]
    S4 Rdp139pefxa;Rdp139pefxa; [x]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-07 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-04-20 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - d:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 09:50]

    2010-04-20 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - d:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 09:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.unippm.co.uk/launchpage/UK/
    uInternet Settings,ProxyOverride = *.local
    IE: Customize Menu
    IE: Fill Forms
    IE: RoboForm Toolbar
    IE: Save Forms
    TCP: {219E736C-DB38-4F20-94B3-4FE7D1292565} = 192.168.0.1
    DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - component: d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
    FF - plugin: d:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmeadax.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - d:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-AnyDVD - d:\program files\SlySoft\AnyDVD\AnyDVD.exe
    MSConfigStartUp-avast! - d:\progra~1\ALWILS~1\Avast4\ashDisp.exe
    MSConfigStartUp-AVG8_TRAY - d:\progra~1\AVG\AVG8\avgtray.exe
    MSConfigStartUp-LogitechCommunicationsManager - d:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    MSConfigStartUp-MSMSGS - d:\program files\Messenger\msmsgs.exe
    MSConfigStartUp-NBKeyScan - d:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    MSConfigStartUp-NoteBurner - d:\program files\NoteBurner\VTBurnerGUI.exe
    MSConfigStartUp-Performance Center - d:\program files\Ascentive\Performance Center\APCMain.exe
    MSConfigStartUp-SunJavaUpdateSched - d:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-Veoh - d:\program files\Veoh Networks\Veoh\VeohClient.exe
    AddRemove-eBay Icon - d:\documents and settings\Administrator\Application Data\Desktopicon\uninst.exe
    AddRemove-HijackThis - d:\docume~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-20 16:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\d:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
    "Version"=hex:38,bc,0a,91,92,24,4d,38,fb,a6,91,19,21,93,73,22,fe,b0,ba,a8,1d,
    6d,33,97,0e,98,a8,ed,a1,70,4b,cd,fd,d1,b7,4a,9d,df,cc,d0,b1,ad,b6,97,32,70,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*–€|ÿÿÿÿ;•€|é•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

    [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:38,bc,0a,91,92,24,4d,38,fb,a6,91,19,21,93,73,22,fe,b0,ba,a8,1d,
    6d,33,97,0e,98,a8,ed,a1,70,4b,cd,fd,d1,b7,4a,9d,df,cc,d0,b1,ad,b6,97,32,70,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4292)
    d:\windows\TEMP\logishrd\LVPrcInj01.dll
    d:\windows\system32\WPDShServiceObj.dll
    d:\windows\system32\PortableDeviceTypes.dll
    d:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\windows\system32\Ati2evxx.exe
    d:\program files\Avira\AntiVir Desktop\avguard.exe
    d:\program files\Avira\AntiVir Desktop\avshadow.exe
    d:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    d:\program files\Bonjour\mDNSResponder.exe
    d:\program files\Java\jre6\bin\jqs.exe
    d:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    d:\program files\CyberLink\Shared files\RichVideo.exe
    d:\program files\Viewpoint\Common\ViewpointService.exe
    d:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-20 16:53:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-20 23:52

    Pre-Run: 11,401,095,680 bytes free
    Post-Run: 13,851,741,696 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

    - - End Of File - - A9E0653463A54D3B724A312E0F8855B6
     
  3. BillHates

    BillHates Thread Starter

    Joined:
    Aug 25, 2002
    Messages:
    275
    Here's my combofix log...

    ComboFix 10-04-19.08 - Administrator 04/20/2010 15:55:30.2.1 - x86
    Running from: d:\documents and settings\Administrator\Desktop\ComboFix2.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Panda Antivirus Platinum 7 *On-access scanning disabled* (Updated) {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
    FW: Panda Antivirus Platinum 7 *disabled* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
    .
    ADS - WINDOWS: deleted 24 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\resycled
    d:\documents and settings\Administrator\Application Data\Desktopicon
    d:\documents and settings\Administrator\Application Data\Desktopicon\eBay.ico
    d:\documents and settings\Administrator\Application Data\Desktopicon\uninst.exe
    d:\documents and settings\Administrator\Application Data\inst.exe
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome.manifest
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome\content\_cfg.js
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\chrome\content\overlay.xul
    d:\documents and settings\Administrator\Local Settings\Application Data\{EF514165-474B-4089-B612-E9A6C5C1A437}\install.rdf
    d:\recycler\S-1-5-21-1089850864-4006996682-2065273338-1005
    d:\recycler\S-1-5-21-343818398-507921405-1957994488-1003
    d:\windows\system32\dumphive.exe
    d:\windows\system32\Process.exe
    d:\windows\system32\SrchSTS.exe
    d:\windows\system32\tmp.reg
    d:\windows\system32\VCCLSID.exe
    d:\windows\system32\WS2Fix.exe

    d:\windows\system32\msgsvc.dll . . . is infected!!

    d:\windows\system32\calc.exe . . . is infected!!

    d:\windows\system32\mmc.exe . . . is infected!!

    d:\windows\system32\mstsc.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
    .

    2010-04-20 22:30 . 2010-04-20 22:31 -------- d-----w- D:\32788R22FWJFW
    2010-04-18 19:41 . 2010-04-13 00:29 411368 ----a-w- d:\windows\system32\deployJava1.dll
    2010-04-18 16:51 . 2010-03-30 07:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-18 16:49 . 2010-03-30 07:45 20824 ----a-w- d:\windows\system32\drivers\mbam.sys
    2010-04-18 16:49 . 2010-04-18 16:51 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
    2010-04-12 23:58 . 2010-04-12 23:58 0 ----a-w- d:\windows\Hxeheyegu.bin
    2010-04-12 23:58 . 2010-04-12 23:58 120 ----a-w- d:\windows\Rbebumamumu.dat
    2010-04-07 14:00 . 2010-04-07 14:00 -------- d-----w- d:\program files\iPod
    2010-04-07 14:00 . 2010-04-07 14:02 -------- d-----w- d:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-07 13:51 . 2010-04-07 13:52 -------- d-----w- d:\program files\QuickTime
    2010-04-07 13:40 . 2010-04-07 13:40 -------- d-----w- d:\program files\Bonjour
    2010-03-31 21:40 . 2010-03-31 21:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\Avira

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 19:23 . 2009-09-24 03:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Soulseek
    2010-04-18 19:52 . 2006-06-01 12:41 -------- d-----w- d:\program files\Java
    2010-04-18 19:03 . 2006-06-01 12:40 -------- d-----w- d:\program files\Common Files\Java
    2010-04-11 13:17 . 2009-02-01 19:00 181096 ----a-w- d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\FlashGot.exe
    2010-04-07 14:02 . 2010-02-07 19:13 -------- d-----w- d:\program files\iTunes
    2010-04-07 14:00 . 2007-11-22 05:57 -------- d-----w- d:\program files\Common Files\Apple
    2010-04-07 13:47 . 2006-11-05 03:57 -------- d-----w- d:\program files\Apple Software Update
    2010-04-06 23:15 . 2010-03-06 00:21 -------- d-----w- d:\documents and settings\Administrator\Application Data\dvdcss
    2010-04-06 23:13 . 2006-06-01 11:51 -------- d-----w- d:\documents and settings\All Users\Application Data\DVD Shrink
    2010-03-30 23:35 . 2008-01-31 07:58 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\windows\system32\drivers\pcouffin.sys
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\documents and settings\Administrator\Application Data\pcouffin.sys
    2010-03-30 23:34 . 2008-01-31 07:58 47360 ----a-w- d:\documents and settings\Administrator\Application Data\pcouffin.sys
    2010-03-30 23:34 . 2010-03-12 14:26 -------- d-----w- d:\program files\DVDFab 7
    2010-03-26 08:48 . 2010-03-26 08:48 73000 ----a-w- d:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
    2010-03-26 04:49 . 2010-04-16 13:11 66048 ----a-w- d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
    2010-03-21 05:15 . 2010-02-15 06:48 -------- d-----w- d:\program files\Debugging Tools for Windows (x86)
    2010-03-13 13:53 . 2006-04-04 06:00 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-13 13:47 . 2009-08-05 09:44 -------- d-----w- d:\program files\Spybot - Search & Destroy
    2010-03-07 00:22 . 2010-03-07 00:22 -------- d-----w- d:\program files\Xilisoft
    2010-03-06 01:09 . 2009-09-03 09:50 -------- d-----w- d:\program files\Google
    2010-03-01 16:05 . 2010-02-15 09:55 124784 ----a-w- d:\windows\system32\drivers\avipbb.sys
    2010-02-27 21:19 . 2010-02-27 21:19 -------- d-----w- d:\program files\Aimersoft
    2010-02-23 21:44 . 2009-08-08 00:34 -------- d-----w- d:\program files\Microsoft Silverlight
    2010-02-22 12:05 . 2010-02-22 12:05 -------- d-----w- d:\program files\Common Files\Windows Live
    2010-02-16 20:24 . 2010-02-15 09:55 60936 ----a-w- d:\windows\system32\drivers\avgntflt.sys
    2010-02-15 09:25 . 2009-02-28 14:20 0 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
    2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- d:\windows\system32\dnssd.dll
    2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- d:\windows\system32\dns-sd.exe
    2006-05-06 16:42 . 2006-11-06 02:22 7260160 ----a-w- d:\program files\mozilla firefox\plugins\libvlc.dll
    2007-11-22 09:26 . 2007-11-22 09:04 72 --sh--w- d:\windows\S523CC2AB.tmp
    2008-08-31 13:09 . 2008-08-31 13:09 56 --sh--r- d:\windows\system32\F8B1240F38.sys
    2008-08-31 13:09 . 2008-08-31 13:09 1682 --sha-w- d:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ezShieldProtector for Px"="d:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
    "avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "Malwarebytes' Anti-Malware"="d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="d:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

    d:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG511U Smart Wizard.lnk - c:\program files\NETGEAR\WAG511 Configuration Utility\wlancfgu.exe [2006-4-4 503870]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @=""

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=d:\windows\pss\Adobe Gamma.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\FrostWire On Startup.lnk
    backup=d:\windows\pss\FrostWire On Startup.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
    path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
    backup=d:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    d:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 09:04 39792 ----a-w- d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
    2008-08-14 14:58 611712 ----a-w- d:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-03-17 04:58 47392 ----a-w- d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    2003-06-13 21:48 28672 ----a-w- d:\windows\system32\Ati2mdxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2002-12-31 12:00 15360 ----a-w- d:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
    2002-08-20 17:29 40960 ----a-w- d:\windows\system32\ezSP_Px.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2008-03-26 04:27 49152 ----a-w- d:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
    2008-03-13 16:34 81920 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 08:10 142120 ----a-w- d:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
    2007-02-08 00:21 54832 ----a-w- d:\program files\CyberLink\PowerDVD\Language\Language.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
    2008-12-20 14:50 2656528 ----a-w- d:\program files\Logitech\QuickCam\Quickcam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M2SAtualiza]
    2008-04-25 04:49 90112 ----a-w- d:\program files\M2S\Instalação M2S\M2SAtualiza.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
    2009-10-13 00:51 692321 ----a-w- c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 18:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 18:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- d:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2007-02-08 00:24 71216 ------w- d:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-01-27 07:36 185896 ----a-w- d:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
    2009-10-26 07:33 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- d:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "d:\\Program Files\\SoulseekNS\\slsk.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "427:UDP"= 427:UDP:SLP_Port(427)
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R1 vcdrom;Virtual CD-ROM Device Driver;d:\windows\system32\drivers\VCdRom.sys [12/19/2001 11:45 AM 8576]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [2/15/2010 2:55 AM 135336]
    R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/18/2010 9:51 AM 303952]
    R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;d:\windows\system32\DNINDIS5.sys [4/4/2006 12:29 AM 17149]
    R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [4/18/2010 9:49 AM 20824]
    R3 wg51und5;NETGEAR WG511U Wireless Network Adapter Service;d:\windows\system32\drivers\wg51und5.sys [4/4/2006 12:29 AM 397152]
    S0 ntcdrdrv;ntcdrdrv;d:\windows\system32\DRIVERS\ntcdrdrv.sys --> d:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 2:50 AM 133104]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;d:\windows\system32\AWINDIS5.SYS [4/14/2009 9:05 PM 16194]
    S3 DCamUSBSony4;Sony Visual Communication Camera;d:\windows\system32\drivers\snyucam4.sys [6/1/2006 3:54 AM 424127]
    S3 DCamUSBSonyA4;Sony USB Microphone;d:\windows\system32\drivers\snyuflt4.sys [6/1/2006 3:54 AM 6019]
    S3 NUVision;NUVision Video Service;d:\windows\system32\drivers\NUVision.sys [6/27/2006 8:37 PM 135424]
    S4 Rdp139pefxa;Rdp139pefxa; [x]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-07 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-04-20 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - d:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 09:50]

    2010-04-20 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - d:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 09:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.unippm.co.uk/launchpage/UK/
    uInternet Settings,ProxyOverride = *.local
    IE: Customize Menu
    IE: Fill Forms
    IE: RoboForm Toolbar
    IE: Save Forms
    TCP: {219E736C-DB38-4F20-94B3-4FE7D1292565} = 192.168.0.1
    DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - component: d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pw3m95nh.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
    FF - plugin: d:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmeadax.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: d:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - d:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-AnyDVD - d:\program files\SlySoft\AnyDVD\AnyDVD.exe
    MSConfigStartUp-avast! - d:\progra~1\ALWILS~1\Avast4\ashDisp.exe
    MSConfigStartUp-AVG8_TRAY - d:\progra~1\AVG\AVG8\avgtray.exe
    MSConfigStartUp-LogitechCommunicationsManager - d:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    MSConfigStartUp-MSMSGS - d:\program files\Messenger\msmsgs.exe
    MSConfigStartUp-NBKeyScan - d:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    MSConfigStartUp-NoteBurner - d:\program files\NoteBurner\VTBurnerGUI.exe
    MSConfigStartUp-Performance Center - d:\program files\Ascentive\Performance Center\APCMain.exe
    MSConfigStartUp-SunJavaUpdateSched - d:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-Veoh - d:\program files\Veoh Networks\Veoh\VeohClient.exe
    AddRemove-eBay Icon - d:\documents and settings\Administrator\Application Data\Desktopicon\uninst.exe
    AddRemove-HijackThis - d:\docume~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-20 16:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\d:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
    "Version"=hex:38,bc,0a,91,92,24,4d,38,fb,a6,91,19,21,93,73,22,fe,b0,ba,a8,1d,
    6d,33,97,0e,98,a8,ed,a1,70,4b,cd,fd,d1,b7,4a,9d,df,cc,d0,b1,ad,b6,97,32,70,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*–€|ÿÿÿÿ;•€|é•A~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

    [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
    "Version"=hex:38,bc,0a,91,92,24,4d,38,fb,a6,91,19,21,93,73,22,fe,b0,ba,a8,1d,
    6d,33,97,0e,98,a8,ed,a1,70,4b,cd,fd,d1,b7,4a,9d,df,cc,d0,b1,ad,b6,97,32,70,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4292)
    d:\windows\TEMP\logishrd\LVPrcInj01.dll
    d:\windows\system32\WPDShServiceObj.dll
    d:\windows\system32\PortableDeviceTypes.dll
    d:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    d:\windows\system32\Ati2evxx.exe
    d:\program files\Avira\AntiVir Desktop\avguard.exe
    d:\program files\Avira\AntiVir Desktop\avshadow.exe
    d:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    d:\program files\Bonjour\mDNSResponder.exe
    d:\program files\Java\jre6\bin\jqs.exe
    d:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    d:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    d:\program files\CyberLink\Shared files\RichVideo.exe
    d:\program files\Viewpoint\Common\ViewpointService.exe
    d:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-20 16:53:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-20 23:52

    Pre-Run: 11,401,095,680 bytes free
    Post-Run: 13,851,741,696 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

    - - End Of File - - A9E0653463A54D3B724A312E0F8855B6
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/918081

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice