malware

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

clicksor/"connect" virus/malware27th September 2010, 8:59 am

recently, a "connect" button started appearing on the sides of my web browser (firefox), and sometimes when i reload the page, it would redirect me to a different website with a pop up window saying:
"Warning! On your computer detected the malicious code. Should immediately make sure that your system is safe! Killing Hazard (R) for Microsoft Windows XP immediately started to work"
then no matter what option i choose, it would start scanning my computer.
i've tried scanning with ad-aware and malwarebytes now, both only found cookies.

OTL scan log:

OTL logfile created on: 9/27/2010 4:54:51 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\zhe\Desktop\New Folder (3)
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.51 Gb Total Space | 86.73 Gb Free Space | 79.93% Space Free | Partition Type: NTFS
Drive D: | 590.12 Gb Total Space | 262.56 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZHEE
Current User Name: zhe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/27 04:45:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\zhe\Desktop\New Folder (3)\OTL.com
PRC - [2010/02/18 12:49:40 | 000,357,448 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
PRC - [2010/02/18 12:47:34 | 003,203,144 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
PRC - [2009/04/22 21:11:32 | 001,675,776 | ---- | M] (Flagship Industries, Inc.) -- C:\Program Files\Ventrilo\Ventrilo.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/05/02 02:44:08 | 000,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 02:40:56 | 000,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/14 00:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

========== Modules (SafeList) ==========

MOD - [2010/09/27 04:45:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\zhe\Desktop\New Folder (3)\OTL.com
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2008/05/02 02:42:50 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2008/04/14 00:41:52 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008/04/14 00:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2010/03/01 16:38:11 | 001,029,456 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/03 20:46:15 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/06/22 10:48:16 | 000,170,736 | ---- | M] (Rogers) [Disabled | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2009/06/22 10:47:20 | 000,371,440 | ---- | M] (Rogers) [Disabled | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe -- (RP_FWS)
SRV - [2008/11/18 12:18:38 | 000,262,144 | ---- | M] (ASUSTeK COMPUTER INC.) [Disabled | Stopped] -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)
SRV - [2008/11/14 18:28:10 | 004,937,752 | R--- | M] (Sana Security) [Disabled | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent)
SRV - [2008/09/22 16:58:48 | 000,910,600 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008/09/22 16:58:44 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Disabled | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2008/05/02 02:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/03/27 10:17:38 | 000,055,816 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2007/11/06 16:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/09/04 19:25:44 | 000,131,072 | ---- | M] (NVIDIA) [Disabled | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\vvftUVC.sys -- (vvftUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\VMUVC.sys -- (VMUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - [2010/07/09 18:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/06/24 03:11:14 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\etdrv.sys -- (etdrv)
DRV - [2010/06/24 03:10:51 | 000,017,488 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/11/23 17:37:18 | 000,014,856 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LGVirHid.sys -- (LGVirHid)
DRV - [2009/11/23 17:37:08 | 000,019,720 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV - [2009/07/28 08:55:00 | 000,143,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/06/02 06:02:46 | 005,085,184 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/04/03 14:51:32 | 000,179,984 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/02/23 00:16:22 | 000,007,168 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys -- (AODDriver)
DRV - [2009/02/13 15:02:52 | 000,011,520 | R--- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/11/26 15:19:56 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2008/11/18 12:18:40 | 000,012,416 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asusgsb.sys -- (asusgsb)
DRV - [2008/11/18 12:18:40 | 000,010,752 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Video3D32.sys -- (Video3D)
DRV - [2008/11/18 12:18:38 | 000,011,136 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
DRV - [2008/11/14 18:28:36 | 000,161,304 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver)
DRV - [2008/11/14 18:28:36 | 000,029,720 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter)
DRV - [2008/11/14 18:28:36 | 000,027,376 | ---- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys -- (RadialpointSafeConnectShim)
DRV - [2008/08/28 13:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008/08/05 08:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 19:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 17:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 03:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:48 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/11/06 16:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/10/11 11:10:52 | 000,030,008 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ET5Drv.sys -- (ET5Drv)
DRV - [2007/09/04 19:26:32 | 000,029,696 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2007/01/29 17:12:52 | 000,018,432 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AsusVRC.sys -- (ASUSVRC)
DRV - [2007/01/17 15:30:00 | 000,012,288 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Spyder2.sys -- (Spyder2)
DRV - [2006/11/22 08:01:00 | 000,250,496 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/06/14 13:44:30 | 000,012,288 | R--- | M] (ASUSTeK Computer Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\EIO_XP.sys -- (EIO_XP)
DRV - [2006/03/28 17:56:06 | 000,027,008 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2006/03/28 17:55:58 | 000,069,760 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2006/03/28 17:55:04 | 000,055,808 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042MOU.SYS -- (L8042mou)
DRV - [2006/01/04 03:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2004/10/15 13:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/05/27 11:47:16 | 000,019,968 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/05/21 15:16:14 | 000,471,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvcm.sys -- (QCMerced)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.ca"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/25 17:03:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/17 01:26:20 | 000,000,000 | ---D | M]

[2009/08/12 02:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zhe\Application Data\Mozilla\Extensions
[2009/08/12 02:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zhe\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/09/25 11:03:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\extensions
[2010/04/27 15:04:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/03 14:54:24 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2010/06/07 19:11:18 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/09/25 11:03:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/17 04:40:12 | 000,704,512 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

O1 HOSTS File: ([2007/08/11 02:58:33 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dll (Rogers)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - HKCU..\Run: [YY] C:\Program Files\duowan\yy-2.0\Start.exe (广州多玩信息技术有限公司)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\zhe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\zhe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/03 05:28:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7fe02cc2-2239-11df-b086-001d7d0bf9c8}\Shell - "" = AutoRun
O33 - MountPoints2\{7fe02cc2-2239-11df-b086-001d7d0bf9c8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7fe02cc2-2239-11df-b086-001d7d0bf9c8}\Shell\AutoRun\command - "" = G:\Startme.exe -- File not found
O33 - MountPoints2\{a4090948-c06c-11de-9004-001d7d0bf9c8}\Shell - "" = AutoRun
O33 - MountPoints2\{a4090948-c06c-11de-9004-001d7d0bf9c8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a4090948-c06c-11de-9004-001d7d0bf9c8}\Shell\AutoRun\command - "" = G:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/27 04:45:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zhe\Desktop\New Folder (3)
[2010/09/26 04:06:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/26 04:06:08 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/26 04:06:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/26 04:05:40 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\zhe\Desktop\mbam-setup-1.46.exe
[2010/09/25 16:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zhe\Desktop\New Folder (2)
[2010/09/23 00:08:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zhe\Desktop\New Folder
[2010/09/16 22:27:56 | 000,007,552 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\dllcache\sonypvu1.sys
[2010/09/08 00:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LogiShrd
[2010/09/07 23:57:47 | 000,301,656 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\BtCoreIf.dll
[2010/09/07 23:57:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Logishrd
[2010/09/07 23:57:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\zhe\Application Data\InstallShield
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/27 04:54:22 | 002,384,160 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/09/27 04:52:46 | 093,334,560 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/09/27 04:28:55 | 004,980,736 | -H-- | M] () -- C:\Documents and Settings\zhe\NTUSER.DAT
[2010/09/27 04:14:45 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/27 04:14:45 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/27 04:14:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/09/27 03:45:43 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/26 15:45:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/26 15:45:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/26 15:45:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/26 15:44:25 | 001,256,756 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/09/26 15:44:25 | 000,231,464 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/09/26 04:06:12 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/26 04:05:44 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\zhe\Desktop\mbam-setup-1.46.exe
[2010/09/26 03:47:56 | 003,171,036 | -H-- | M] () -- C:\Documents and Settings\zhe\Local Settings\Application Data\IconCache.db
[2010/09/25 16:53:44 | 002,314,977 | ---- | M] () -- C:\Documents and Settings\zhe\Desktop\IMG_1350.jpg
[2010/09/25 15:39:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/25 02:29:02 | 001,534,701 | ---- | M] () -- C:\Documents and Settings\zhe\Desktop\IMG_1341.jpg
[2010/09/21 14:20:01 | 000,146,432 | ---- | M] () -- C:\Documents and Settings\zhe\Desktop\02+-+Chapter+01+%28part+2%29.ppt
[2010/09/13 20:29:57 | 000,170,496 | ---- | M] () -- C:\Documents and Settings\zhe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/08 14:43:47 | 000,002,225 | ---- | M] () -- C:\Documents and Settings\zhe\Application Data\Microsoft\Internet Explorer\Quick Launch\Steam.lnk
[2010/09/07 23:58:45 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2010/09/07 23:58:41 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/09/07 23:57:47 | 000,001,687 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/26 04:06:12 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/25 16:53:44 | 002,314,977 | ---- | C] () -- C:\Documents and Settings\zhe\Desktop\IMG_1350.jpg
[2010/09/25 02:29:02 | 001,534,701 | ---- | C] () -- C:\Documents and Settings\zhe\Desktop\IMG_1341.jpg
[2010/09/21 14:20:01 | 000,146,432 | ---- | C] () -- C:\Documents and Settings\zhe\Desktop\02+-+Chapter+01+%28part+2%29.ppt
[2010/09/07 23:58:45 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2010/09/07 23:58:41 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/19 03:08:33 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\Sx5363.ini
[2010/03/07 11:59:58 | 000,014,832 | -HS- | C] () -- C:\Documents and Settings\zhe\Local Settings\Application Data\fwSG76dUmwJ
[2010/02/18 22:01:56 | 000,002,072 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/09 10:08:15 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/01/09 10:06:57 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2009/10/18 18:04:33 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/11 16:05:38 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI
[2009/09/08 18:24:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mj.INI
[2009/08/10 19:58:59 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2009/08/04 16:30:33 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2009/08/04 16:30:32 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/04 16:30:32 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/08/04 16:30:32 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2009/08/04 16:30:32 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2009/08/04 16:30:32 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2009/08/04 16:30:32 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2009/08/04 16:30:32 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2009/08/04 16:30:32 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2009/08/04 16:30:32 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2009/08/04 16:30:32 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2009/08/03 17:26:59 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\zhe\Local Settings\Application Data\PUTTY.RND
[2009/08/03 15:42:31 | 000,170,496 | ---- | C] () -- C:\Documents and Settings\zhe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/03 14:18:32 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVUSBSta.sys
[2009/08/03 14:18:32 | 000,005,993 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/08/03 14:18:31 | 000,471,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvcm.sys
[2009/08/03 14:18:11 | 000,000,252 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/08/03 14:06:18 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/03 05:50:06 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/08/03 05:48:59 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\tasrtli.dll
[2008/10/14 16:09:12 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2007/11/06 16:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/02/13 18:16:04 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\Spyder2.sys
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Custom Scans ==========

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/03 01:16:56 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/03 01:16:56 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/03 01:16:56 | 000,942,080 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2001/08/23 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2008/11/18 12:18:40 | 000,012,416 | ---- | M] (ASUSTeK Computer Inc.) -- C:\WINDOWS\system32\asusgsb.sys
[2001/08/23 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2001/08/23 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2001/08/23 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2008/04/13 17:20:56 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2001/08/23 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2001/08/23 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2001/08/23 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2001/08/23 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2001/08/23 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/13 17:19:40 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/13 17:19:44 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/13 17:19:40 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/13 17:19:44 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/13 17:19:42 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 19:15:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/04/17 08:26:40 | 001,847,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/09/26 15:45:33 | 000,198,637 | ---- | M] () -- C:\aaw7boot.log
[2009/08/03 05:28:05 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/09/27 04:14:45 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/08/03 05:28:05 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/08/03 05:28:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/08/03 14:16:25 | 000,000,090 | ---- | M] () -- C:\LogiSetup.log
[2009/08/03 05:28:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 17:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/13 19:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/26 15:45:33 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2009/08/03 19:50:26 | 000,000,122 | ---- | M] () -- C:\service.log

< %PROGRAMFILES%\*. >
[2009/09/01 14:28:04 | 000,000,000 | ---D | M] -- C:\Program Files\Acoustica MP3 Audio Mixer
[2010/07/31 19:14:08 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/10/18 17:34:18 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2009/08/04 16:31:46 | 000,000,000 | ---D | M] -- C:\Program Files\ASUS
[2010/08/20 06:15:58 | 000,000,000 | ---D | M] -- C:\Program Files\BitComet
[2009/08/03 20:50:34 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/01/09 10:18:20 | 000,000,000 | ---D | M] -- C:\Program Files\Brother
[2010/09/07 23:57:29 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/08/03 05:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/07/30 04:26:31 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/05/25 03:22:10 | 000,000,000 | ---D | M] -- C:\Program Files\duowan
[2010/04/19 03:08:33 | 000,000,000 | ---D | M] -- C:\Program Files\Gameforge4D
[2009/08/10 19:58:43 | 000,000,000 | ---D | M] -- C:\Program Files\GIGABYTE
[2010/02/27 09:55:14 | 000,000,000 | ---D | M] -- C:\Program Files\ImTOO
[2010/09/07 23:57:31 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/08/03 01:51:46 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2009/08/03 02:24:44 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/08/10 16:38:44 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/08/08 15:37:02 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2009/08/12 02:21:07 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2010/06/29 20:06:55 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2010/09/26 04:06:12 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/10 05:18:41 | 000,000,000 | ---D | M] -- C:\Program Files\Marvell
[2009/08/03 02:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/09/15 21:15:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/08/03 05:28:22 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/08/03 05:26:31 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/09/27 04:28:59 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/03 02:25:30 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009/08/03 05:24:39 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/08/03 05:25:14 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/08/17 19:20:30 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/08/04 16:27:15 | 000,000,000 | ---D | M] -- C:\Program Files\My Company Name
[2009/10/18 16:41:45 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2009/08/03 05:26:44 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/01/09 10:05:38 | 000,000,000 | ---D | M] -- C:\Program Files\Nuance
[2010/08/20 17:00:53 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2010/06/28 03:31:07 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA nTune Performance Application
[2009/08/03 05:25:22 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/08/17 19:21:42 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/04/25 18:11:02 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTax 2009
[2009/09/06 23:39:18 | 000,000,000 | ---D | M] -- C:\Program Files\Raxco
[2009/08/03 05:50:05 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2009/08/03 02:25:27 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/02/22 17:49:50 | 000,000,000 | ---D | M] -- C:\Program Files\Rogers Online Protection
[2010/02/25 02:37:33 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Ericsson
[2010/09/10 12:59:38 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2010/04/30 05:58:04 | 000,000,000 | ---D | M] -- C:\Program Files\Subagames
[2009/08/03 05:31:41 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/08/03 14:06:34 | 000,000,000 | ---D | M] -- C:\Program Files\Ventrilo
[2009/08/03 15:22:04 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/09/25 11:36:23 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2009/08/03 14:33:17 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2009/09/15 21:15:53 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2010/09/23 15:49:42 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Safety Center
[2009/09/15 21:15:43 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2009/08/03 02:23:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/08/03 02:23:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/08/03 05:25:06 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/08/03 05:27:12 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/09/02 04:02:39 | 000,000,000 | ---D | M] -- C:\Program Files\WinPcap
[2009/08/03 21:33:23 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2009/08/03 05:28:22 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2009/08/03 01:20:07 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\zhe\Application Data\desktop.ini

< MD5 for: AGP440.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 19:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/13 19:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 00:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 00:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 00:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 00:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2008/04/14 00:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-08-03 06:17:28

========== Files - Unicode (All) ==========
[2009/09/06 23:40:13 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\?????????????????????????????????????????????????) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥剜杯牥⁳湏楬敮倠潲整瑣潩屮潒敧獲传汮湩⁥牐瑯捥楴湯卜晡䍥湯敮瑣䍜湯楦屧噘敩⹷潣普杩
[2009/09/06 23:40:13 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\?????????????????????????????????????????????????) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥剜杯牥⁳湏楬敮倠潲整瑣潩屮潒敧獲传汮湩⁥牐瑯捥楴湯卜晡䍥湯敮瑣䍜湯楦屧噘敩⹷潣普杩
< End of report >

Re: clicksor/"connect" virus/malware27th September 2010, 7:51 pm

Hello.

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKCU..\Run: [YY] C:\Program Files\duowan\yy-2.0\Start.exe (广州多玩信息技术有限公司)

:commands
[emptytemp]
[resethosts]
[reboot]
Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
clicksor/"connect" virus/malware DXwU4

Re: clicksor/"connect" virus/malware27th September 2010, 9:48 pm

done, is there more? because the problem isn't fixed, as i opened firefox after the reboot, this site was actually redirected to the virus scan site again

Re: clicksor/"connect" virus/malware28th September 2010, 8:26 pm

No, not done yet.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Re: clicksor/"connect" virus/malware29th September 2010, 5:13 am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/28/2010 4:46:39 PM
mbam-log-2010-09-28 (16-46-39).txt

Scan type: Quick scan
Objects scanned: 113070
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: clicksor/"connect" virus/malware29th September 2010, 11:35 pm

Hello.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Post the new log when done.

Re: clicksor/"connect" virus/malware30th September 2010, 3:03 am

when i click update, it gives me a error saying:

an error has occurred, please report this error code to our support team

MBAM_ERROR_UPDATING (12007,0,WinHttpSendRequest).

i scanned again anyways, and heres the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/29/2010 11:02:58 PM
mbam-log-2010-09-29 (23-02-58).txt

Scan type: Quick scan
Objects scanned: 112863
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: clicksor/"connect" virus/malware30th September 2010, 11:35 pm

Hello.

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: clicksor/"connect" virus/malware1st October 2010, 2:59 am

ComboFix 10-09-30.03 - zhe 09/30/2010 22:54:04.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2336 [GMT -4:00]
Running from: c:\documents and settings\zhe\Desktop\ComboFix.exe
AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\zhe\Application Data\BITS
c:\documents and settings\zhe\Application Data\BITS\BITS.ini
c:\documents and settings\zhe\Application Data\BITS\DHTTable.dat
c:\documents and settings\zhe\Application Data\BITS\ProxyList.ini
c:\documents and settings\zhe\Application Data\BITS\UPnP.ini
c:\documents and settings\zhe\Application Data\FlashGetBHO
c:\documents and settings\zhe\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\zhe\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\zhe\Application Data\FlashGetBHO\GetUrl.htm
c:\windows\libem.INI
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-09-29 06:23 . 2010-09-29 06:23 16384 ---ha-w- C:\SZKGFS.dat
2010-09-29 06:21 . 2010-09-29 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-29 06:20 . 2010-09-29 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-29 06:20 . 2010-09-29 06:20 -------- d-----w- c:\program files\Common Files\iS3
2010-09-28 20:00 . 2010-09-28 20:01 -------- d-----w- c:\documents and settings\zhe\Application Data\dvdcss
2010-09-27 22:05 . 2010-09-27 22:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-27 21:40 . 2010-09-27 21:40 -------- d-----w- C:\_OTL
2010-09-26 08:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 08:06 . 2010-09-27 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 08:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-20 04:18 . 2010-09-14 05:31 517576 ----a-w- c:\documents and settings\zhe\Application Data\duowan\yy\C__Program_Files_duowan_yy-2.0_\temp\start_temp\{1945F934-F903-4A2C-9269-ADA60B3A1743}\start.exe
2010-09-17 02:27 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-09-17 02:27 . 2001-08-17 17:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-09-08 04:01 . 2010-09-08 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-09-08 03:57 . 2008-05-02 06:38 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-09-08 03:57 . 2010-09-08 03:57 10134 ----a-r- c:\documents and settings\zhe\Application Data\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe
2010-09-08 03:57 . 2010-09-08 03:57 -------- d-----w- c:\program files\Common Files\Logishrd
2010-09-08 03:57 . 2010-09-08 03:57 -------- d-----w- c:\documents and settings\zhe\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 02:56 . 2009-08-08 19:38 93680416 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-09-30 10:06 . 2009-08-08 19:38 2413088 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-30 10:06 . 2009-08-08 19:38 233744 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-30 10:06 . 2009-08-08 19:38 1260476 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-30 09:59 . 2009-08-03 19:28 -------- d-----w- c:\documents and settings\zhe\Application Data\vlc
2010-09-29 06:53 . 2010-09-29 06:30 16 ----a-w- c:\windows\system32\drivers\fidbox.dat.szfi
2010-09-29 06:33 . 2010-09-29 06:29 1128 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-27 22:05 . 2009-09-10 04:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-25 15:36 . 2009-08-03 18:25 -------- d-----w- c:\program files\Warcraft III
2010-09-10 16:59 . 2009-08-27 18:19 -------- d-----w- c:\program files\Steam
2010-09-08 03:58 . 2010-09-08 03:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-09-08 03:58 . 2010-09-08 03:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-09-08 03:57 . 2009-08-03 18:18 -------- d-----w- c:\program files\Common Files\Logitech
2010-09-08 03:57 . 2009-08-03 09:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-20 21:00 . 2009-08-03 05:59 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-20 21:00 . 2009-08-03 18:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-20 20:59 . 2010-08-20 20:59 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-08-20 20:59 . 2010-08-20 20:59 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-08-20 20:59 . 2010-08-20 20:59 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-08-20 10:15 . 2009-08-03 18:54 -------- d-----w- c:\program files\BitComet
2010-08-10 09:18 . 2010-08-10 09:18 -------- d-----w- c:\program files\Marvell
2010-08-09 22:23 . 2010-08-09 22:23 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-30 08:26 . 2010-07-30 08:26 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-30 08:26 . 2010-07-30 08:26 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-30 08:26 . 2010-07-30 08:26 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-30 08:26 . 2010-07-30 08:26 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-30 08:26 . 2010-07-30 08:26 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-07-30 08:26 . 2010-07-30 08:26 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-07-30 08:26 . 2010-07-30 08:26 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-07-30 08:25 . 2010-07-30 08:26 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-07-30 08:25 . 2010-07-30 08:26 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-07-30 08:25 . 2010-07-30 08:25 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-07-09 20:24 . 2010-07-09 20:24 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-07-09 20:24 . 2010-07-09 20:24 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-07-09 20:24 . 2010-07-09 20:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-07-09 20:24 . 2010-07-09 20:24 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2010-07-09 20:24 . 2010-07-09 20:24 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-07-09 20:24 . 2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-07 17:46 . 2009-08-03 05:58 604776 -c--a-w- c:\windows\system32\NVUNINST.EXE
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-02-18 357448]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-9-7 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^zhe^Start Menu^Programs^Startup^Seagate 2GEYMZRC Product Registration.lnk]
path=c:\documents and settings\zhe\Start Menu\Programs\Startup\Seagate 2GEYMZRC Product Registration.lnk
backup=c:\windows\pss\Seagate 2GEYMZRC Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
2009-02-20 01:24 1171456 -c--a-w- c:\program files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
2008-12-22 17:46 380928 -c--a-w- c:\program files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
2007-07-26 19:05 20480 -c--a-w- c:\program files\GIGABYTE\ET6\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
2007-12-14 15:46 236040 -c--a-w- c:\program files\GIGABYTE\GEST\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-13 22:13 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2010-02-18 16:24 1573448 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2008-02-29 07:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-06-01 10:46 196608 -c----w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-06-01 15:09 458752 -c----w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-06-01 15:03 217088 -c----w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-05-21 23:11 221184 -c--a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-13 22:13 59392 -c--a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 20:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 03:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-13 22:13 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-13 22:13 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RogersServicepointAgent.exe]
2009-02-27 19:13 3228912 -c--a-w- c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-21 06:01 17881600 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-10 20:38 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 -c--a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"ATKKeyboardService"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"wuauserv"=2 (0x2)
"GEST Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"rpcapd"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"PD91Engine"=3 (0x3)
"PD91Agent"=2 (0x2)
"RP_FWS"=2 (0x2)
"RadialpointSafeConnectAgent"=2 (0x2)
"Radialpoint Security Services"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"nTuneService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\drunk_p3nl5\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\program files\Subagames\ACE Online\Launcher.atm"= c:\program files\Subagames\ACE Online\Launcher.atm:Enabled:GameExe2
"c:\program files\Subagames\ACE Online\Res-Voip\SCVoIP.exe"= c:\program files\Subagames\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Steam\\steamapps\\dark_chaos_magi@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12511:TCP"= 12511:TCP:BitComet 12511 TCP
"12511:UDP"= 12511:UDP:BitComet 12511 UDP

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/3/2009 5:48 AM 1684736]
S3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
S3 etdrv;etdrv;c:\windows\etdrv.sys [8/11/2009 3:38 AM 17488]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [6/29/2010 8:07 PM 14856]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 6:28 PM 161304]
S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 6:28 PM 29720]
S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 6:28 PM 27376]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2/13/2007 6:16 PM 12288]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/26/2009 1:09 PM 11520]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [8/3/2009 2:48 AM 55816]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 4:58 PM 693512]
S4 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 4:58 PM 910600]
S4 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [6/22/2009 10:48 AM 170736]
S4 RadialpointSafeConnectAgent;Rogers Online Protection SafeConnectAgent;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\bin\SanaAgent.exe [11/14/2008 6:28 PM 4937752]
.
Contents of the 'Scheduled Tasks' folder

2010-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 20:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\documents and settings\zhe\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 22:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2010-09-30 22:57:27
ComboFix-quarantined-files.txt 2010-10-01 02:57

Pre-Run: 94,940,782,592 bytes free
Post-Run: 94,934,953,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A8AE2D59E10F0D5C73CF5BED990F4D1

Re: clicksor/"connect" virus/malware3rd October 2010, 5:19 am

bump

Re: clicksor/"connect" virus/malware3rd October 2010, 11:35 pm

Hello.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
FCopy:: c:\windows\$NtUninstallKB951748$\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: clicksor/"connect" virus/malware9th October 2010, 6:24 am

i think i solved the problem, it turns out my DNS IP was changed to some russian IP, now that i've changed it back to default, pop ups and redirects are gone

Re: clicksor/"connect" virus/malware9th October 2010, 11:56 pm

Hello.
Please run my CFScript, a system file maybe patched.

Re: clicksor/"connect" virus/malware10th October 2010, 6:38 am

ComboFix 10-10-09.04 - zhe 10/10/2010 2:32.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3086 [GMT -4:00]
Running from: c:\documents and settings\zhe\Desktop\New Folder (6)\ComboFix.exe
Command switches used :: c:\documents and settings\zhe\Desktop\New Folder (6)\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-10 06:22 . 2010-10-10 06:22 -------- d-----w- C:\log
2010-10-10 06:21 . 2010-10-10 06:26 -------- d-----w- c:\windows\SxsCaPendDel
2010-10-09 07:52 . 2010-10-09 07:52 -------- d-----w- c:\program files\Vector Magic
2010-09-29 06:21 . 2010-09-29 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-29 06:20 . 2010-09-29 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-29 06:20 . 2010-09-29 06:20 -------- d-----w- c:\program files\Common Files\iS3
2010-09-28 20:00 . 2010-09-28 20:01 -------- d-----w- c:\documents and settings\zhe\Application Data\dvdcss
2010-09-27 22:05 . 2010-09-27 22:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-27 21:45 . 2009-06-25 17:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-09-27 21:40 . 2010-09-27 21:40 -------- d-----w- C:\_OTL
2010-09-26 08:06 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 08:06 . 2010-09-27 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 08:06 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 02:27 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-09-17 02:27 . 2001-08-17 17:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-10-01_02.56.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-08 19:38 . 2010-10-10 06:25 2457888 c:\windows\system32\drivers\fidbox2.dat
+ 2009-08-08 19:38 . 2010-10-10 06:25 94406176 c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-02-18 357448]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-9-7 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^zhe^Start Menu^Programs^Startup^Seagate 2GEYMZRC Product Registration.lnk]
path=c:\documents and settings\zhe\Start Menu\Programs\Startup\Seagate 2GEYMZRC Product Registration.lnk
backup=c:\windows\pss\Seagate 2GEYMZRC Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
2009-02-20 01:24 1171456 -c--a-w- c:\program files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
2008-12-22 17:46 380928 -c--a-w- c:\program files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
2007-07-26 19:05 20480 -c--a-w- c:\program files\GIGABYTE\ET6\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
2007-12-14 15:46 236040 -c--a-w- c:\program files\GIGABYTE\GEST\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-13 22:13 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2010-02-18 16:24 1573448 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2008-02-29 07:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-06-01 10:46 196608 -c----w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-06-01 15:09 458752 -c----w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-06-01 15:03 217088 -c----w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-05-21 23:11 221184 -c--a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-13 22:13 59392 -c--a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 20:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 03:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-13 22:13 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-13 22:13 455168 -c--a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-21 06:01 17881600 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-10 20:38 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 -c--a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"ATKKeyboardService"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"wuauserv"=2 (0x2)
"GEST Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"rpcapd"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"PD91Engine"=3 (0x3)
"PD91Agent"=2 (0x2)
"RP_FWS"=2 (0x2)
"RadialpointSafeConnectAgent"=2 (0x2)
"Radialpoint Security Services"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"nTuneService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\drunk_p3nl5\\counter-strike\\hl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\program files\Subagames\ACE Online\Launcher.atm"= c:\program files\Subagames\ACE Online\Launcher.atm:Enabled:GameExe2
"c:\program files\Subagames\ACE Online\Res-Voip\SCVoIP.exe"= c:\program files\Subagames\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Steam\\steamapps\\dark_chaos_magi@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12511:TCP"= 12511:TCP:BitComet 12511 TCP
"12511:UDP"= 12511:UDP:BitComet 12511 UDP

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/3/2009 5:48 AM 1684736]
S3 AODDriver;AODDriver;c:\program files\GIGABYTE\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
S3 etdrv;etdrv;c:\windows\etdrv.sys [8/11/2009 3:38 AM 17488]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [6/29/2010 8:07 PM 14856]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2/13/2007 6:16 PM 12288]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys --> c:\windows\system32\Drivers\VMUVC.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys --> c:\windows\system32\drivers\vvftUVC.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [10/26/2009 1:09 PM 11520]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [8/3/2009 2:48 AM 55816]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 20:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\documents and settings\zhe\Application Data\Mozilla\Firefox\Profiles\0kqmfyxs.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\documents and settings\zhe\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RogersServicepointAgent - c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2312)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-10 02:36:24
ComboFix-quarantined-files.txt 2010-10-10 06:36
ComboFix2.txt 2010-10-01 02:57

Pre-Run: 95,659,560,960 bytes free
Post-Run: 95,692,357,632 bytes free

- - End Of File - - 86CBB1D67C5BFECDB4B45A7411B22963

Re: clicksor/"connect" virus/malware10th October 2010, 9:17 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Check (tick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

Re: clicksor/"connect" virus/malware11th October 2010, 3:44 am

what's going on now?

log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1af058b77ed9494293437b686df92c23
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-10 11:20:53
# local_time=2010-10-10 07:20:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=86114
# found=3
# cleaned=3
# scan_time=6543
D:\adobe\Illustrator CS2\AICS2.iso a variant of Win32/Keygen.AO application (deleted - quarantined) 00000000000000000000000000000000 C
D:\adobe\Illustrator CS2\Adobe GoLive CS2\CRACK\keygen.exe a variant of Win32/Keygen.AO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\adobe\Illustrator CS2\CRACK\keygen.exe a variant of Win32/Keygen.AO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Re: clicksor/"connect" virus/malware11th October 2010, 9:38 pm

Hello.
How is the machine running now?

Re: clicksor/"connect" virus/malware11th October 2010, 9:39 pm

computers all good now, thanks a bunch!

clicksor/"connect" virus/malware

descriptionclicksor/"connect" virus/malware27th September 2010, 8:59 am

descriptionRe: clicksor/"connect" virus/malware27th September 2010, 7:51 pm

descriptionRe: clicksor/"connect" virus/malware27th September 2010, 9:48 pm

descriptionRe: clicksor/"connect" virus/malware28th September 2010, 8:26 pm

descriptionRe: clicksor/"connect" virus/malware29th September 2010, 5:13 am

descriptionRe: clicksor/"connect" virus/malware29th September 2010, 11:35 pm

descriptionRe: clicksor/"connect" virus/malware30th September 2010, 3:03 am

descriptionRe: clicksor/"connect" virus/malware30th September 2010, 11:35 pm

descriptionRe: clicksor/"connect" virus/malware1st October 2010, 2:59 am

descriptionRe: clicksor/"connect" virus/malware3rd October 2010, 5:19 am

descriptionRe: clicksor/"connect" virus/malware3rd October 2010, 11:35 pm

descriptionRe: clicksor/"connect" virus/malware9th October 2010, 6:24 am

descriptionRe: clicksor/"connect" virus/malware9th October 2010, 11:56 pm

descriptionRe: clicksor/"connect" virus/malware10th October 2010, 6:38 am

descriptionRe: clicksor/"connect" virus/malware10th October 2010, 9:17 pm

descriptionRe: clicksor/"connect" virus/malware11th October 2010, 3:44 am

descriptionRe: clicksor/"connect" virus/malware11th October 2010, 9:38 pm

descriptionRe: clicksor/"connect" virus/malware11th October 2010, 9:39 pm

descriptionRe: clicksor/"connect" virus/malware