System TOols 2011 hijacked my PC

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

System TOols 2011 hijacked my PC22nd December 2010, 12:24 am

I can't open any programs and everytime I disable it it'll just reinstall itself...

Re: System TOols 2011 hijacked my PC22nd December 2010, 12:46 am

Hello.

We need to use the RKill Tool by Grinler

Rkill.com <--- Download site

Please Download Rkill.com. Save it to your Desktop.
Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
Please be patient while the program looks for various malware programs and ends them.
When it has finished, the black window will automatically close and you can continue with the next step.

NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Download OTL by OldTimer to your Desktop.

Close all windows and double click OTL.exe
Click Run Scan and let the program run uninterrupted
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
System TOols 2011 hijacked my PC DXwU4

Re: System TOols 2011 hijacked my PC22nd December 2010, 12:53 am

I managed to disable it now and did a OTL scan.

OTL Extras logfile created on: 12/21/2010 6:33:23 PM - Run 2
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\gap\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 596.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.04 Gb Total Space | 19.04 Gb Free Space | 13.31% Space Free | Partition Type: NTFS
Drive D: | 592.53 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ELLENS | User Name: gap | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56476:TCP" = 56476:TCP:*:Enabled:Pando Media Booster
"56476:UDP" = 56476:UDP:*:Enabled:Pando Media Booster
"56980:TCP" = 56980:TCP:*:Enabled:Pando Media Booster
"56980:UDP" = 56980:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"56476:TCP" = 56476:TCP:*:Enabled:Pando Media Booster
"56476:UDP" = 56476:UDP:*:Enabled:Pando Media Booster
"56980:TCP" = 56980:TCP:*:Enabled:Pando Media Booster
"56980:UDP" = 56980:UDP:*:Enabled:Pando Media Booster
"57917:TCP" = 57917:TCP:*:Enabled:Pando Media Booster
"57917:UDP" = 57917:UDP:*:Enabled:Pando Media Booster
"8375:TCP" = 8375:TCP:*:Enabled:League of Legends Launcher
"8375:UDP" = 8375:UDP:*:Enabled:League of Legends Launcher
"8380:TCP" = 8380:TCP:*:Enabled:League of Legends Launcher
"8380:UDP" = 8380:UDP:*:Enabled:League of Legends Launcher

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe" = C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade -- (THQ Canada Inc.)
"C:\Program Files\Unreal Tournament 2004\System\UT2004.exe" = C:\Program Files\Unreal Tournament 2004\System\UT2004.exe:*:Enabled:UT2004 -- ()
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Documents and Settings\gap\Desktop\postal2\Postal2STP\System\Postal2.exe" = C:\Documents and Settings\gap\Desktop\postal2\Postal2STP\System\Postal2.exe:*:Enabled:Postal2 -- ()
"C:\Nexon\DFO\DFO.exe" = C:\Nexon\DFO\DFO.exe:*:Enabled:Dungeon Fighter Online -- (neople)
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\EA GAMES\Command & Conquer The First Decade\Command & Conquer(tm) Tiberian Sun(tm)\SUN\Game.exe" = C:\Program Files\EA GAMES\Command & Conquer The First Decade\Command & Conquer(tm) Tiberian Sun(tm)\SUN\Game.exe:*:Enabled:Main executable for Tiberian Sun -- (Westwood Studios)
"C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe" = C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:*:Enabled:Star Wars(R): Empire at War(TM): Forces of Corruption(TM) -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Riot Games\League of Legends\air\LolClient.exe" = C:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- (Adobe Systems Inc.)
"C:\Riot Games\League of Legends\game\League of Legends.exe" = C:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{01AF4645-78E6-46C4-B528-54863679CC40}" = VAIO SLIT-C Screen Saver
"{09F4655B-C804-4AD0-B7DF-078E338F8F85}" = League of Legends
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{0D490016-5D01-4CB3-A037-55814AC63D2E}" = Giga Pocket Hardware Library 5.5
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A4E71A5-643D-4536-B624-995F7E212272}" = WonderKing
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 3.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{266AEE68-5718-4A31-BDD3-D356B1250C70}" = VAIO SLIT Pattern Wallpaper
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{28999392-5871-4A39-863A-D2A6EA3260AF}" = League of Legends
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{32A3A4F4-B792-11D6-A78A-00B0D0160200}" = Java(TM) SE Development Kit 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{362D5167-9716-44BE-89FD-BF9EB6EF814B}" = DawnOfWar
"{36B662F5-0CE3-4B5D-96D1-B9218109DED1}" = Kodak EasyShare printer dock 6000
"{38B39865-D988-4945-9A22-6107B8B40953}" = C4200
"{394DC0BC-5476-4260-B52C-BDE1BDEFA958}" = Unreal Tournament 2004
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{48820099-ED7D-424B-890C-9A82EF00656C}" = VAIO Update 2
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C75086F-7753-41B9-8B4C-F38DE6CC8C20}" = VAIO Remote Commander Utility 6.2
"{50CE21D8-0F44-4f3f-A392-7F9AD3194DEF}" = PS_AIO_Software
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{64F8B9AF-983F-48CE-ABBB-F62BEC02C5A0}" = System Requirements Lab
"{657DD6DA-B07B-40FF-9DBD-2116F7E83CF6}" = OpenMG Secure Module 3.4.00
"{6592FDEC-2C1A-413A-9985-25FEC2F0848D}" = Star Wars Empire at War Forces of Corruption
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 3.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 2.0.02
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 3.0
"{7C2F71B2-6C73-11D6-B659-00C04F790F76}" = Click to DVD 2.0.02
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8641C1CB-03B3-41d4-8DEC-79826A4B5C0E}" = HP Photosmart All-In-One Software 8.0
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89661B04-C646-4412-B6D3-5E19F02F1F37}" = EAX4 Unified Redist
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD 5 for VAIO
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{93B80FB1-7A23-11D3-B250-00105A1F4184}" =
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{979F6A6B-4CB0-424E-8E70-AA2ED38B4CCC}" = Giga Pocket Demo Movie
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{98A3A654-3AEF-42D9-BA91-DE5815EA5897}" = Click to DVD 2.0 Menu Data
"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9EBDAF91-DADA-47CE-94F2-F5B004007934}" = System Requirements Lab
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A6BFDF60-FD08-4EF9-8D26-B762A19DB9A0}" = Giga Pocket 5.5
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B668B2B8-70D4-4754-A890-17C1DDDA9418}" = PS_AIO_Software_min
"{B7CAB3A0-0C18-42A5-A783-0E3FFF172935}" = MapleStory
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}" = VAIO System Information
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{D84E40A2-380A-46E9-A750-6F55D398D973}" = ATI Catalyst Control Center
"{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}" = VAIO Entertainment Platform
"{DD8408E9-9421-484F-979D-DB6361E3E828}" = Dawn Of War - Winter Assault
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E65CA2A8-1F2A-4400-AE55-FFD43D3B6980}" = c4200_Help
"{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FE0C305A-37EE-4499-B4CF-0182E37B20C4}" = PS_AIO_ProductContext
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"AIM_6" = AIM 6
"All ATI Software" = ATI - Software Uninstall Utility
"AnyDVD" = AnyDVD
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CobBackup8" = Cobian Backup 8
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-07-22
"DFO" = DFOLauncher
"Diablo II" = Diablo II
"Driver Genius Professional Edition 2007_is1" = Driver Genius Professional Edition 2007
"Fallout 2 Restoration Project_is1" = FO2 Restoration Project 2.1.2b
"Fallout 2 Unofficial Patch_is1" = Fallout 2 Unofficial Patch 1.02.27.3
"Fallout2" = Fallout2
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{362D5167-9716-44BE-89FD-BF9EB6EF814B}" = DawnOfWar
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"InstallShield_{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"Lexmark X83" = Lexmark X83
"Mabinogi" = Mabinogi
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapleStory" = MapleStory
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Miro" = Miro
"Mozilla Firefox (3.5.16)" = Mozilla Firefox (3.5.16)
"MSN Music Assistant" = MSN Music Assistant
"MSN Toolbar" = MSN Toolbar
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NavNet_is1" = NavNet
"Netscape (7.02)" = Netscape (7.02)
"Netscape Online Setup" = Netscape Internet Service Setup
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenMG HotFix3.4-03-12-16-01" = OpenMG Limited Patch 3.4-03-12-16-01
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"Starsiege TRIBES" = Starsiege TRIBES 1.8
"System Tool2011" = System Tool2011
"SystemRequirementsLab" = System Requirements Lab
"Tribes 2" = Tribes 2
"Tyranid_Mod_v04" = Dawn of War - Tyranid Mod v0.45DC
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Welcome to VAIO life" = Welcome to VAIO life
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/1/2010 8:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 9/1/2010 9:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 9/11/2010 12:33:43 PM | Computer Name = ELLENS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/11/2010 12:33:43 PM | Computer Name = ELLENS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/6/2010 10:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 10/6/2010 11:53:37 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 12/21/2010 7:19:35 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:19:45 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:19:52 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:28:47 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

[ Application Events ]
Error - 9/1/2010 8:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 9/1/2010 9:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 9/11/2010 12:33:43 PM | Computer Name = ELLENS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/11/2010 12:33:43 PM | Computer Name = ELLENS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/6/2010 10:53:36 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 10/6/2010 11:53:37 AM | Computer Name = ELLENS | Source = Google Update | ID = 20
Description =

Error - 12/21/2010 7:19:35 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:19:45 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:19:52 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 12/21/2010 7:28:47 PM | Computer Name = ELLENS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

[ System Events ]
Error - 12/21/2010 7:57:15 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Fax service to connect.

Error - 12/21/2010 7:57:15 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7000
Description = The Fax service failed to start due to the following error: %%1053

Error - 12/21/2010 7:57:16 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Fax service to connect.

Error - 12/21/2010 7:57:16 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7000
Description = The Fax service failed to start due to the following error: %%1053

Error - 12/21/2010 7:58:14 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Apple Mobile Device service
to connect.

Error - 12/21/2010 7:58:14 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7000
Description = The Apple Mobile Device service failed to start due to the following
error: %%1053

Error - 12/21/2010 8:27:01 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7000
Description = The Genesys Logic USB Scanner Controller NT 5.0 service failed to
start due to the following error: %%2

Error - 12/21/2010 8:27:01 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 12/21/2010 8:27:24 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 12/21/2010 8:27:43 PM | Computer Name = ELLENS | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

< End of report >

Re: System TOols 2011 hijacked my PC22nd December 2010, 12:56 am

SOrry it was far too large and i can't attach it apparently

Re: System TOols 2011 hijacked my PC22nd December 2010, 12:57 am

Please post the main OTL.txt as well.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:00 am

I can't it won't let me. I try to upload it and it gives me an error I try to post it and it says too large.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:02 am

Can you attach the log?

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:04 am

I tried it gives me an error. But it's not on my end, because I can attach it to other forums too.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:08 am

Now Hnl.exe is using up 60% of my CPU...its coming back.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:15 am

Okay please upload the log at www.mediafire.com and post the share URL.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:17 am

http://www.mediafire.com/?3lyvv34tktyfv4m

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:22 am

Hello.

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKCU..\Run: [JP595IR86O] C:\Documents and Settings\gap\Local Settings\temp\Hnl.exe ()
O4 - HKCU..\Run: [YRUvoXXeDU.exe] C:\Documents and Settings\All Users\Application Data\YRUvoXXeDU.exe File not found
[2010/12/21 18:28:25 | 000,000,274 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/12/21 18:27:35 | 000,000,242 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:26 am

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\JP595IR86O deleted successfully.
C:\Documents and Settings\gap\Local Settings\temp\Hnl.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\YRUvoXXeDU.exe deleted successfully.
C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job moved successfully.
C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job moved successfully.

OTL by OldTimer - Version 3.2.18.0 log created on 12212010_192509

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:29 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:30 am

I already have MBam installed but I have stuff in Quarantine from years ago. Is it safe to unstall and reinstall

Re: System TOols 2011 hijacked my PC22nd December 2010, 1:30 am

Also, Hpodia.exe appeared

Re: System TOols 2011 hijacked my PC23rd December 2010, 12:17 am

Okay.
Please install the newest version of MBAM anyway.

Re: System TOols 2011 hijacked my PC23rd December 2010, 4:45 pm

Is this normal whenever I do a google search it redirects me back to googls homepage

Re: System TOols 2011 hijacked my PC23rd December 2010, 8:39 pm

Hello.

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: System TOols 2011 hijacked my PC23rd December 2010, 11:52 pm

Sorry if im late with the replies.

Do you want me to go ahead with the mbam scan or just not do it?

Okay heres the deal, whenever O open IE i get a pop up from my anti virus about sshnas21 from ssytem 32 trying to access my PC

How badly am I infected now? I want to believe it's not so bad since my PC is useable.

Re: System TOols 2011 hijacked my PC24th December 2010, 2:57 pm

ALso, my antivirus isn't starting.

EDIT: it turned on again -__-.

Go on ahead with Combofix?

Re: System TOols 2011 hijacked my PC24th December 2010, 11:42 pm

Do the Combofix scan please.

Re: System TOols 2011 hijacked my PC26th December 2010, 2:55 pm

I can't disable my antivirus...

I clicked on the AntiVir and disabled it and made sure but ComboFix is still saying it's active

Re: System TOols 2011 hijacked my PC26th December 2010, 9:58 pm

Also, to open any browser I have to disable my antivirus. yet in my task manager I still see it's processes running and i can't end them because it says access denied. I also have 2 rundll32.exes running, which is odd since I've never had them running in my task list before (i know what they are and they are vital to my PC).

Re: System TOols 2011 hijacked my PC27th December 2010, 9:35 pm

Hello.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Run Combofix now please.

Re: System TOols 2011 hijacked my PC28th December 2010, 7:02 pm

i did the combofix in safe mode and it still said AntiVir was still running yet I didnt see it in the task list. SHould i just ignore it and go ahead with combofix?

Re: System TOols 2011 hijacked my PC28th December 2010, 10:22 pm

Yes please.

Re: System TOols 2011 hijacked my PC29th December 2010, 4:58 pm

When I loged in I got an error that rundll32-
c:\windows\sgavd32.dll encountered an error

Then hpodia.exe popped up from my anti virus and I sent it to quarintine

ComboFix 10-12-25.03 - gap 12/29/2010 9:40.11.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.795 [GMT -6:00]
Running from: c:\documents and settings\gap\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\gap\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\gap\Application Data\Adobe\plugs
c:\documents and settings\gap\Application Data\Adobe\plugs\KB835915468.exe
c:\documents and settings\gap\Application Data\Adobe\plugs\KB835955750.exe
c:\documents and settings\gap\Start Menu\Programs\System Tool
c:\windows\sgavd32.dll
c:\windows\system32\Oeminfo.ini
c:\windows\system32\sshnas21.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-22 01:25 . 2010-12-22 01:25 -------- d-----w- C:\_OTL
2010-12-22 00:06 . 2010-12-22 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\New Folder
2010-12-21 23:16 . 2010-12-21 23:16 126464 --sha-r- c:\windows\system32\netui2B.dll
2010-12-21 23:16 . 2010-12-21 23:16 215040 ----a-w- c:\windows\Hpodia.exe
2010-12-20 00:53 . 2010-12-20 00:57 159867409 ----a-w- C:\F2_Restoration_Project_2.1.2b.exe
2010-12-20 00:48 . 2010-12-20 00:48 8140792 ----a-w- C:\unofficialFO2patch.exe
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-12-12 02:10 . 2010-12-12 02:10 -------- d-----w- c:\program files\iPod
2010-12-12 02:10 . 2010-12-12 02:11 -------- d-----w- c:\program files\iTunes
2010-12-12 02:10 . 2010-12-12 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-12 02:07 . 2010-12-12 02:07 -------- d-----w- c:\program files\Apple Software Update
2010-12-12 02:04 . 2010-12-12 02:04 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-20 05:34 . 2010-02-20 05:09 576000 ----a-w- c:\program files\ISSetup.dll
2010-02-20 05:33 . 2010-02-20 05:09 473 ----a-w- c:\program files\layout.bin
2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-25 2937528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=c:\windows\pss\Remocon Driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^gap^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\gap\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-05-23 18:43 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-13 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-19 18:42 133104 ----atw- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 07:19 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
2001-06-14 17:42 53248 ----a-w- c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
2001-10-18 15:25 40960 ----a-w- c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-06-27 08:47 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-01 02:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2004-01-17 11:36 135168 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"Giga Pocket Hardware Detector"=2 (0x2)
"SymWSC"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"iPodService"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-AppServer"=2 (0x2)
"VAIO Entertainment UPnP Client Adapter"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\gap\\Desktop\\postal2\\Postal2STP\\System\\Postal2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer(tm) Tiberian Sun(tm)\\SUN\\Game.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56476:TCP"= 56476:TCP:Pando Media Booster
"56476:UDP"= 56476:UDP:Pando Media Booster
"56980:TCP"= 56980:TCP:Pando Media Booster
"56980:UDP"= 56980:UDP:Pando Media Booster
"57917:TCP"= 57917:TCP:Pando Media Booster
"57917:UDP"= 57917:UDP:Pando Media Booster
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/15/2009 3:34 PM 108289]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [10/28/2004 8:45 AM 15104]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 8:44 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [6/26/2004 7:19 PM 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 02:44]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 02:44]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005Core.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005UA.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2004-07-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-03-31 07:56]

2010-12-28 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = ;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
FF - ProfilePath - c:\documents and settings\gap\Application Data\Mozilla\Firefox\Profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/boards/index.php
FF - Ext: Text-to-Image: {f701c26a-479a-4724-b4f1-870db12f063c} - %profile%\extensions\{f701c26a-479a-4724-b4f1-870db12f063c}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Vista on XP: {07b2a769-ed19-4483-87ce-c643914c81b1} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81b1}
FF - Ext: Remove It Permanently: {1dbc4a33-ea62-4330-966c-7bdad3455322} - %profile%\extensions\{1dbc4a33-ea62-4330-966c-7bdad3455322}
FF - Ext: HideTab: {B347DFB4-AC21-11DD-9016-B77D55D89593} - %profile%\extensions\{B347DFB4-AC21-11DD-9016-B77D55D89593}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firefox 2, the theme, reloaded: {fd2f951f-77ea-4938-9493-0c892c027a13} - %profile%\extensions\{fd2f951f-77ea-4938-9493-0c892c027a13}
FF - Ext: Firefox 2.0 Classic: {f74dbf52-80a6-4cb7-84e3-2e506dc4c1f0} - %profile%\extensions\{f74dbf52-80a6-4cb7-84e3-2e506dc4c1f0}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\gap\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Rsaqifohahur - c:\windows\sgavd32.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 10:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\UAService.exe
c:\windows\system32\UAService7.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-12-29 10:54:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-29 16:54
ComboFix2.txt 2010-07-23 19:46
ComboFix3.txt 2009-09-04 23:24

Pre-Run: 19,745,796,096 bytes free
Post-Run: 20,317,396,992 bytes free

- - End Of File - - B133C38C0B4E51568781BC38CA38AB00

Re: System TOols 2011 hijacked my PC29th December 2010, 5:04 pm

I'm still being redirected on google. The site I see in my blocked list is oeogitahgnnr.com but when I go there nothing happens. It only does this on firefox no other browser.

Re: System TOols 2011 hijacked my PC30th December 2010, 1:27 am

Hello.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Code:
File:: c:\windows\system32\netui2B.dll c:\windows\Hpodia.exe DDS:: uInternet Settings,ProxyServer = http=127.0.0.1:5643 uInternet Settings,ProxyOverride = ;*.local
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

Re: System TOols 2011 hijacked my PC30th December 2010, 1:29 am

Hey i still can't fully disable my AntiVir. Can i just ignore it and go ahead with the scan?

Re: System TOols 2011 hijacked my PC3rd January 2011, 4:47 pm

Sorry for the late reply I've been busy lately.

ComboFix 11-01-02.04 - gap 01/03/2011 10:01:18.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.676 [GMT -6:00]
Running from: c:\documents and settings\gap\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gap\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\Hpodia.exe"
"c:\windows\system32\netui2B.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\netui2B.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2010-12-22 01:25 . 2010-12-22 01:25 -------- d-----w- C:\_OTL
2010-12-22 00:06 . 2010-12-22 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\New Folder
2010-12-20 00:53 . 2010-12-20 00:57 159867409 ----a-w- C:\F2_Restoration_Project_2.1.2b.exe
2010-12-20 00:48 . 2010-12-20 00:48 8140792 ----a-w- C:\unofficialFO2patch.exe
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-18 01:28 . 2010-12-18 01:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-12-12 02:10 . 2010-12-12 02:10 -------- d-----w- c:\program files\iPod
2010-12-12 02:10 . 2010-12-12 02:11 -------- d-----w- c:\program files\iTunes
2010-12-12 02:10 . 2010-12-12 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-12 02:07 . 2010-12-12 02:07 -------- d-----w- c:\program files\Apple Software Update
2010-12-12 02:04 . 2010-12-12 02:04 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-20 05:34 . 2010-02-20 05:09 576000 ----a-w- c:\program files\ISSetup.dll
2010-02-20 05:33 . 2010-02-20 05:09 473 ----a-w- c:\program files\layout.bin
2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-25 2937528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-01 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=c:\windows\pss\Remocon Driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^gap^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\gap\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-05-23 18:43 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-13 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-19 18:42 133104 ----atw- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 07:19 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
2001-06-14 17:42 53248 ----a-w- c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
2001-10-18 15:25 40960 ----a-w- c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-06-27 08:47 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-09-01 02:44 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2004-01-17 11:36 135168 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"Giga Pocket Hardware Detector"=2 (0x2)
"SymWSC"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"iPodService"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-AppServer"=2 (0x2)
"VAIO Entertainment UPnP Client Adapter"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\gap\\Desktop\\postal2\\Postal2STP\\System\\Postal2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer(tm) Tiberian Sun(tm)\\SUN\\Game.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56476:TCP"= 56476:TCP:Pando Media Booster
"56476:UDP"= 56476:UDP:Pando Media Booster
"56980:TCP"= 56980:TCP:Pando Media Booster
"56980:UDP"= 56980:UDP:Pando Media Booster
"57917:TCP"= 57917:TCP:Pando Media Booster
"57917:UDP"= 57917:UDP:Pando Media Booster
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/15/2009 3:34 PM 108289]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [10/28/2004 8:45 AM 15104]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/31/2010 8:44 PM 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [6/26/2004 7:19 PM 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2011-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 02:44]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 02:44]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005Core.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005UA.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2004-07-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-03-31 07:56]

2011-01-02 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
FF - ProfilePath - c:\documents and settings\gap\Application Data\Mozilla\Firefox\Profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/boards/index.php
FF - Ext: Text-to-Image: {f701c26a-479a-4724-b4f1-870db12f063c} - %profile%\extensions\{f701c26a-479a-4724-b4f1-870db12f063c}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Vista on XP: {07b2a769-ed19-4483-87ce-c643914c81b1} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81b1}
FF - Ext: Remove It Permanently: {1dbc4a33-ea62-4330-966c-7bdad3455322} - %profile%\extensions\{1dbc4a33-ea62-4330-966c-7bdad3455322}
FF - Ext: HideTab: {B347DFB4-AC21-11DD-9016-B77D55D89593} - %profile%\extensions\{B347DFB4-AC21-11DD-9016-B77D55D89593}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Firefox 2, the theme, reloaded: {fd2f951f-77ea-4938-9493-0c892c027a13} - %profile%\extensions\{fd2f951f-77ea-4938-9493-0c892c027a13}
FF - Ext: Firefox 2.0 Classic: {f74dbf52-80a6-4cb7-84e3-2e506dc4c1f0} - %profile%\extensions\{f74dbf52-80a6-4cb7-84e3-2e506dc4c1f0}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\gap\Application Data\Move Networks
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 10:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-03 10:44:49
ComboFix-quarantined-files.txt 2011-01-03 16:44
ComboFix2.txt 2010-12-29 16:54
ComboFix3.txt 2010-07-23 19:46
ComboFix4.txt 2009-09-04 23:24

Pre-Run: 19,615,305,728 bytes free
Post-Run: 19,761,963,008 bytes free

- - End Of File - - CA383C788895BCC5A5F333DA3932FD53

Re: System TOols 2011 hijacked my PC4th January 2011, 1:24 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Check (tick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

Re: System TOols 2011 hijacked my PC6th January 2011, 2:30 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=b072baad2ad8f248895a58a597658207
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-06 02:28:25
# local_time=2011-01-05 08:28:25 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 53051754 53051754 0 0
# compatibility_mode=768 16777215 100 0 117606332 117606332 0 0
# compatibility_mode=1026 16777214 0 2 56999821 56999821 0 0
# compatibility_mode=1797 16775125 100 100 0 68219282 11456 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=169197
# found=6
# cleaned=6
# scan_time=7789
C:\Documents and Settings\gap\Desktop\Portable SuprerantiS P3.9.0.1008\SUPERAntiSpyware.exe probably a variant of Win32/IRCBot.LHPUSJR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\gap\Desktop\Portable SuprerantiS P3.9.0.1008\Portable SuprerantiS P3.9.0.1008\SUPERAntiSpyware.exe probably a variant of Win32/IRCBot.LHPUSJR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\gap\Desktop\Portable SuprerantiS P3.9.0.1008\Portable SuprerantiS P3.9.0.1008\Thinstall\SUPERAntiSpyware Professional\4000002800002i\SSUPDATE.EXE probably a variant of Win32/IRCBot.NVFXZZI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\gap\Desktop\Portable SuprerantiS P3.9.0.1008\Thinstall\SUPERAntiSpyware Professional\4000002800002i\SSUPDATE.EXE probably a variant of Win32/IRCBot.NVFXZZI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\gap\Desktop\tools\b2\backup-20090908-110929-501.dll Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Driver-Soft\DriverGenius\NvDriverTweak.exe probably a variant of Win32/TrojanDownloader.Adload.KXYLVMS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Re: System TOols 2011 hijacked my PC7th January 2011, 12:02 am

Hello.

Please download CKScanner by askey127 from here
Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Re: System TOols 2011 hijacked my PC7th January 2011, 12:51 am

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\gap\application data\macromedia\flash player\#sharedobjects\wj8ds34h\crackle.com\cracklesettings.sol
c:\documents and settings\gap\application data\macromedia\flash player\#sharedobjects\wj8ds34h\widgets.cracked.com\clearspring.sol
c:\documents and settings\gap\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\#crackle.com\settings.sol
c:\documents and settings\gap\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\#widgets.cracked.com\settings.sol
c:\documents and settings\gap\application data\utorrent\age of empires 3 full dvd +crack + serial.iso.torrent
c:\documents and settings\gap\favorites\crackdown - stunt locations - msxbox-world forums.url
c:\documents and settings\gap\my documents\downloads\age of empires 3 full dvd +crack + serial.iso
c:\documents and settings\gap\my documents\my videos\miro\torment\extras\no cd-crack\pstcrack2cd.zip
scanner sequence 3.CE.11
----- EOF -----

Re: System TOols 2011 hijacked my PC7th January 2011, 10:46 pm

Hello.
I see in logs several signs of crack/keygens, these are dangerous, please remove them.

How is the machine running now?

Re: System TOols 2011 hijacked my PC7th January 2011, 11:00 pm

Oh those were stuff I used years ago. I had thought i deleted them.

It's running normally now.

Re: System TOols 2011 hijacked my PC8th January 2011, 11:05 pm

Download Security Check by screen317 and save it to your Desktop.

Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.

Re: System TOols 2011 hijacked my PC9th January 2011, 1:36 am

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java DB 10.5.3.0
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Adobe Reader 9.3.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

Re: System TOols 2011 hijacked my PC9th January 2011, 11:27 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Updating Java:

Download the latest version of Java SE Runtime Environment (JRE) 6 Update 23.
Click the "Download JRE" button to the right.
In the Window that opens, select your platform, check the "agree" box, and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on jre-6u23-windows-i586.exe that you downloaded to install the newest version.

Then download and install Adobe Reader X

Download and install VLC Player 1.1.5
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.

How is the machine running now?

Re: System TOols 2011 hijacked my PC10th January 2011, 1:33 am

It's running normally. Ugh it installed Mcafee

Re: System TOols 2011 hijacked my PC11th January 2011, 12:27 am

You can uninstall the security scan plus if you want through add/remove programs.

Re: System TOols 2011 hijacked my PC11th January 2011, 1:36 pm

Yeah I did.

Re: System TOols 2011 hijacked my PC11th January 2011, 11:05 pm

Okay, you should be good to go.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/
Google Chrome is available here: Google Chrome
SRWare Iron is available here: SRWare Iron

Thank you for choosing GeekPolice. Please leave feedback!

Re: System TOols 2011 hijacked my PC12th January 2011, 1:37 am

Thanks fer helpin

System TOols 2011 hijacked my PC

descriptionSystem TOols 2011 hijacked my PC22nd December 2010, 12:24 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 12:46 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 12:53 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 12:56 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 12:57 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:00 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:02 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:04 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:08 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:15 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:17 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:22 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:26 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:29 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:30 am

descriptionRe: System TOols 2011 hijacked my PC22nd December 2010, 1:30 am

descriptionRe: System TOols 2011 hijacked my PC23rd December 2010, 12:17 am

descriptionRe: System TOols 2011 hijacked my PC23rd December 2010, 4:45 pm

descriptionRe: System TOols 2011 hijacked my PC23rd December 2010, 8:39 pm

descriptionRe: System TOols 2011 hijacked my PC23rd December 2010, 11:52 pm

descriptionRe: System TOols 2011 hijacked my PC24th December 2010, 2:57 pm

descriptionRe: System TOols 2011 hijacked my PC24th December 2010, 11:42 pm

descriptionRe: System TOols 2011 hijacked my PC26th December 2010, 2:55 pm

descriptionRe: System TOols 2011 hijacked my PC26th December 2010, 9:58 pm

descriptionRe: System TOols 2011 hijacked my PC27th December 2010, 9:35 pm

descriptionRe: System TOols 2011 hijacked my PC28th December 2010, 7:02 pm

descriptionRe: System TOols 2011 hijacked my PC28th December 2010, 10:22 pm

descriptionRe: System TOols 2011 hijacked my PC29th December 2010, 4:58 pm

descriptionRe: System TOols 2011 hijacked my PC29th December 2010, 5:04 pm

descriptionRe: System TOols 2011 hijacked my PC30th December 2010, 1:27 am

descriptionRe: System TOols 2011 hijacked my PC30th December 2010, 1:29 am

descriptionRe: System TOols 2011 hijacked my PC3rd January 2011, 4:47 pm

descriptionRe: System TOols 2011 hijacked my PC4th January 2011, 1:24 am

descriptionRe: System TOols 2011 hijacked my PC6th January 2011, 2:30 am

descriptionRe: System TOols 2011 hijacked my PC7th January 2011, 12:02 am

descriptionRe: System TOols 2011 hijacked my PC7th January 2011, 12:51 am

descriptionRe: System TOols 2011 hijacked my PC7th January 2011, 10:46 pm

descriptionRe: System TOols 2011 hijacked my PC7th January 2011, 11:00 pm

descriptionRe: System TOols 2011 hijacked my PC8th January 2011, 11:05 pm

descriptionRe: System TOols 2011 hijacked my PC9th January 2011, 1:36 am

descriptionRe: System TOols 2011 hijacked my PC9th January 2011, 11:27 pm

descriptionRe: System TOols 2011 hijacked my PC10th January 2011, 1:33 am

descriptionRe: System TOols 2011 hijacked my PC11th January 2011, 12:27 am

descriptionRe: System TOols 2011 hijacked my PC11th January 2011, 1:36 pm

descriptionRe: System TOols 2011 hijacked my PC11th January 2011, 11:05 pm

descriptionRe: System TOols 2011 hijacked my PC12th January 2011, 1:37 am

descriptionRe: System TOols 2011 hijacked my PC