Fake Windows Security Virus removed, caused more rootkits and problems.

2 posters

WiredWX Hobby Weather Tools :: Archive :: Technical Support

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:00 am

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-09 21:44:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 04:44
ComboFix2.txt 2010-04-08 03:47

Pre-Run: 5,110,607,872 bytes free
Post-Run: 5,128,454,144 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 420B6FA475D27DFEC7098CF5EE0D231B

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:02 am

Thanks again for helping me out.
I am dying to install my copy of Windows 7, but I don't feel safe entering the product key while my computer is infected.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 1:33 pm

You cut out a lot of that ComboFix log. Luckily I caught the first part before it was cut, otherwise an important infection would not be removed.

-=-

I see you are running P2P applications: BitTorrent, uTorrent, and LimeWire. I suggest to read the following, and then decided whether you want to keep it or not: http://www.helpmyos.com/learn-security-f40/p2p-programs-t1102.htm

-=-

You are using Ask Toolbar. I suggest to remove it, as it tracks user habits on their search engine. But that choice is up to you.

-=-

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

-=-

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

-=-

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the box below into it:

killall::

File::
c:\windows\Igucur.dat
c:\windows\Qgivodexadapeq.bin
c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\m27f2z3pza.exe
c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\avp32.exe
c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\mplay32xe.exe

RenV::
c:\program files\ATI\ATICustomerCare\aticustomercare .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Avira\AntiVir Desktop\avgnt .exe
c:\program files\BitComet\bitcomet .exe
c:\program files\CheckPoint\ZAForceField\forcefield .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Winamp Remote\bin\orbtray .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]

Driver::
kmtex
anvjhxi

Rootkit::
Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:05 am

I must apologize for that.
I was having a lot of trouble fitting the entire log, is there any way I can send you the file? Anyway...

ComboFix 10-04-10.02 - Spen 04/10/2010 22:51:55.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\avp32.exe"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\m27f2z3pza.exe"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\mplay32xe.exe"
"c:\windows\Igucur.dat"
"c:\windows\Qgivodexadapeq.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
c:\windows\Igucur.dat
c:\windows\Qgivodexadapeq.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_anvjhxi
-------\Service_kmtex

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 05:59 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-10 05:27 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

Code:

<pre>
c:\program files\BitComet\bitcomet   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Ê¹ÓÃÑ¸À×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 22:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-10 23:02:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 06:02
ComboFix2.txt 2010-04-10 04:44
ComboFix3.txt 2010-04-08 03:47

Pre-Run: 5,141,135,360 bytes free
Post-Run: 5,123,846,144 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 907219E867BD6A96A3E30E6DEF6693DD

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 9:35 am

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the box below into it:
Code:
killall:: RenV:: c:\program files\BitComet\bitcomet .exe c:\program files\QuickTime\qttask .exe c:\program files\Windows Live\Messenger\msnmsgr .exe Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 11:05 am

ComboFix 10-04-10.02 - Spen 04/11/2010 3:53.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1581 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 11:01 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

Code:

<pre>
c:\program files\BitComet\bitcomet   .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Ê¹ÓÃÑ¸À×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 04:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 04:04:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 11:04
ComboFix2.txt 2010-04-11 06:02
ComboFix3.txt 2010-04-10 04:44
ComboFix4.txt 2010-04-08 03:47

Pre-Run: 4,755,378,176 bytes free
Post-Run: 4,716,523,520 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - CBDD80CB2E8123BF2ED306DF9D06E6D6

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 5:39 pm

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the box below into it:
Code:
killall:: RenV:: c:\program files\BitComet\bitcomet .exe c:\program files\Windows Live\Messenger\msnmsgr .exe c:\program files\quicktime\qttask .exe Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet] Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:51 pm

ComboFix 10-04-10.02 - Spen 04/11/2010 11:33:40.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1574 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:47 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

Code:

<pre>
c:\program files\BitComet\bitcomet   .exe
</pre>

((((((((((((((((((((((((((((( SnapShot_2010-04-10_04.40.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 18:39 . 2010-04-11 18:39 16384 c:\windows\temp\Perflib_Perfdata_228.dat
+ 2010-04-11 05:46 . 2010-04-11 05:46 3940352 c:\windows\Installer\5603518.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Ê¹ÓÃÑ¸À×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 11:49:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 18:49
ComboFix2.txt 2010-04-11 11:04
ComboFix3.txt 2010-04-11 06:02
ComboFix4.txt 2010-04-10 04:44
ComboFix5.txt 2010-04-11 18:32

Pre-Run: 4,723,154,944 bytes free
Post-Run: 4,679,782,400 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - FC30FA6F72A0B2F3977D4AA2EB1BC5F1

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 3:00 am

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind * .exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:25 am

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:23 on 11/04/2010 by Spen (Administrator - Elevation successful)

========== filefind ==========

Searching for "* .exe"
C:\Documents and Settings\Spen\Local Settings\Application Data\Google\Update\googleupdate .exe --a--- 136176 bytes [06:59 06/04/2010] [06:59 06/04/2010] F02A533F517EB38333CB12A9E8963773
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

-=End Of File=-

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:53 am

Good work. Now once more:

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the box below into it:
Code:
killall:: RenV:: C:\Documents and Settings\Spen\Local Settings\Application Data\Google\Update\googleupdate .exe C:\Program Files\BitComet\bitcomet .exe Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 5:19 am

ComboFix 10-04-11.02 - Spen 04/11/2010 22:09:10.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 05:17 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

Code:

<pre>
c:\program files\BitComet\bitcomet   .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-06 06:59 136176 ----atw- c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\googleupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Ê¹ÓÃÑ¸À×ÏÂÔØ - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.igoogle.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 22:19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 05:19
ComboFix2.txt 2010-04-11 18:49
ComboFix3.txt 2010-04-11 11:04
ComboFix4.txt 2010-04-11 06:02
ComboFix5.txt 2010-04-12 05:08

Pre-Run: 4,728,664,064 bytes free
Post-Run: 4,694,097,920 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - BD9C80CBDE99B57EE366627C175BA91D

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 1:56 pm

This just does not want to go away, does it?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind * .exe * .exe * .exe * .exe * .exe * .exe * .exe * .exe * .exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 6:14 pm

Yeah I just don't understand why we cant seem to get rid of it, have you ever experienced anything like this? Thanks again man you are so patient with my inexperience.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:12 on 12/04/2010 by Spen (Administrator - Elevation successful)

========== filefind ==========

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

-=End Of File=-

Re: Fake Windows Security Virus removed, caused more rootkits and problems.13th April 2010, 1:44 am

I am rather confused on why it will not go away. Goofy

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:dir C:\Program Files\BitComet
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Please wrap it in a Code tag.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Fake Windows Security Virus removed, caused more rootkits and problems.

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:00 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:02 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 1:33 pm

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:05 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 9:35 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 11:05 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 5:39 pm

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:51 pm

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 3:00 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:25 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:53 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 5:19 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 1:56 pm

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 6:14 pm

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.13th April 2010, 1:44 am

descriptionRe: Fake Windows Security Virus removed, caused more rootkits and problems.

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:00 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 5:02 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.10th April 2010, 1:33 pm

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:05 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 9:35 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 11:05 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 5:39 pm

Re: Fake Windows Security Virus removed, caused more rootkits and problems.11th April 2010, 6:51 pm

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 3:00 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:25 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 4:53 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 5:19 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 1:56 pm

Re: Fake Windows Security Virus removed, caused more rootkits and problems.12th April 2010, 6:14 pm

Re: Fake Windows Security Virus removed, caused more rootkits and problems.13th April 2010, 1:44 am

Re: Fake Windows Security Virus removed, caused more rootkits and problems.