I had the infamous Windows Security Center virus that's been going around, after a Malwarebytes and spybot scan I got rid of the program, but now I still have some lingering viruses that seem completely impossible to remove.
I believe one is a .sys file in my windows/system32/drivers/ folder, possibly caused by Rootkit.Agent.
Any help is immensely appreciated, I'll attach a hijack this log, followed by a Combofix log here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:24, on 4/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9cfcb98311892) (gupdate1c9cfcb98311892) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5818 bytes
--------------------------------------
ComboFix 10-04-07.01 - Spen 04/07/2010 20:30:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1504 [GMT -7:00]
Running from: c:\documents and settings\Spen\Desktop\commy.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\install.rdf
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome.manifest
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\_cfg.js
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\overlay.xul
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\install.rdf
c:\windows\system32\_VOIDberfndeixm.log
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\winlogon.bak
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:51 . 2010-04-07 09:02 -------- d-----w- c:\documents and settings\Spen\Local Settings\Application Data\AskToolbar
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-06 06:17 . 2010-04-07 09:01 120 ----a-w- c:\windows\Igucur.dat
2010-04-06 06:17 . 2010-04-07 09:01 0 ----a-w- c:\windows\Qgivodexadapeq.bin
2010-04-06 06:15 . 2010-04-06 06:24 201728 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
2010-04-06 06:08 . 2010-04-07 03:26 -------- d-sh--w- c:\documents and settings\Administrator\.COMMgr
2010-04-06 06:08 . 2010-04-08 03:43 823808 ----a-w- c:\windows\system32\drivers\zwhlwd.sys
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-06 06:08 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-20 18:22 . 2010-03-21 23:01 -------- d-----w- c:\program files\Ask.com
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-03-29 02:37 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 03:25 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 03:07 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 12:48 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:24 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:39 . 2009-03-28 21:08 17864 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-03 07:40 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-09 01:37 . 2009-07-28 06:58 17864 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
[-] 2009-01-13 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 ----a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\m27f2z3pza.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\avp32.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
c:\program files\Winamp Remote\bin\OrbTray.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]
S0 anvjhxi;anvjhxi;c:\windows\system32\drivers\mcou.sys --> c:\windows\system32\drivers\mcou.sys [?]
S0 kmtex;kmtex;c:\windows\system32\drivers\docmkg.sys --> c:\windows\system32\drivers\docmkg.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
--- Other Services/Drivers In Memory ---
*Deregistered* - zwhlwd
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
2010-04-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: ʹÓÃѸÀ×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin7.dll
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-KLiteCodecPack_is1 - g:\programs\K-Lite Codec Pack\unins000.exe
AddRemove-uTorrent - g:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 20:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A896AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7496cb8
\Driver\atapi -> 0x8ab5a1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba57fba0
PacketIndicateHandler -> NDIS.sys @ 0xba58cb21
SendHandler -> NDIS.sys @ 0xba56a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zwhlwd]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-07 20:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 03:46
Pre-Run: 2,381,766,656 bytes free
Post-Run: 6,554,066,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 700EC4A17B6344AE34C1097B7DB7B7D0
I believe one is a .sys file in my windows/system32/drivers/ folder, possibly caused by Rootkit.Agent.
Any help is immensely appreciated, I'll attach a hijack this log, followed by a Combofix log here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:24, on 4/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9cfcb98311892) (gupdate1c9cfcb98311892) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 5818 bytes
--------------------------------------
ComboFix 10-04-07.01 - Spen 04/07/2010 20:30:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1504 [GMT -7:00]
Running from: c:\documents and settings\Spen\Desktop\commy.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\install.rdf
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome.manifest
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\_cfg.js
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\overlay.xul
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\install.rdf
c:\windows\system32\_VOIDberfndeixm.log
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\winlogon.bak
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:51 . 2010-04-07 09:02 -------- d-----w- c:\documents and settings\Spen\Local Settings\Application Data\AskToolbar
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-06 06:17 . 2010-04-07 09:01 120 ----a-w- c:\windows\Igucur.dat
2010-04-06 06:17 . 2010-04-07 09:01 0 ----a-w- c:\windows\Qgivodexadapeq.bin
2010-04-06 06:15 . 2010-04-06 06:24 201728 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
2010-04-06 06:08 . 2010-04-07 03:26 -------- d-sh--w- c:\documents and settings\Administrator\.COMMgr
2010-04-06 06:08 . 2010-04-08 03:43 823808 ----a-w- c:\windows\system32\drivers\zwhlwd.sys
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-06 06:08 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-20 18:22 . 2010-03-21 23:01 -------- d-----w- c:\program files\Ask.com
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-03-29 02:37 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 03:25 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 03:07 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 12:48 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:24 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:39 . 2009-03-28 21:08 17864 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-03 07:40 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-09 01:37 . 2009-07-28 06:58 17864 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
Code:
<pre>
c:\program files\ATI\ATICustomerCare\aticustomercare .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Avira\AntiVir Desktop\avgnt .exe
c:\program files\BitComet\bitcomet .exe
c:\program files\CheckPoint\ZAForceField\forcefield .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Winamp Remote\bin\orbtray .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>
------- Sigcheck -------
[-] 2009-01-13 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 ----a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\m27f2z3pza.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\avp32.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
c:\program files\Winamp Remote\bin\OrbTray.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]
S0 anvjhxi;anvjhxi;c:\windows\system32\drivers\mcou.sys --> c:\windows\system32\drivers\mcou.sys [?]
S0 kmtex;kmtex;c:\windows\system32\drivers\docmkg.sys --> c:\windows\system32\drivers\docmkg.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
--- Other Services/Drivers In Memory ---
*Deregistered* - zwhlwd
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
2010-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
2010-04-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: ʹÓÃѸÀ×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin7.dll
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-KLiteCodecPack_is1 - g:\programs\K-Lite Codec Pack\unins000.exe
AddRemove-uTorrent - g:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 20:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A896AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7496cb8
\Driver\atapi -> 0x8ab5a1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba57fba0
PacketIndicateHandler -> NDIS.sys @ 0xba58cb21
SendHandler -> NDIS.sys @ 0xba56a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zwhlwd]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-07 20:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 03:46
Pre-Run: 2,381,766,656 bytes free
Post-Run: 6,554,066,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 700EC4A17B6344AE34C1097B7DB7B7D0