Solved Odd Google redirect and Avast shields being disabled

[1010101]

Hello.

Tried everything I know but I'm stuck.

Yesterday, I started noticing odd behavior on Google. Any time that I would try to type anything into the search bar, I would get a few characters typed and then the page would refresh itself. I'd try to type again and get the same result. Hitting spacebar seemed to make the refresh come sooner, but that might just be me seeing something that isn't really there. If I would type quickly and hit the search button, I would be redirected back to Google with some extra stuff appended onto the address. Here are five examples I copied and pasted so you could see what I'm talking about:

hxxp://www.google.com/webhp?emsg=NCSR&ei=vE9BTIzWLIPcefa_3bMN
hxxp://www.google.com/webhp?emsg=NCSR&ei=xE9BTIa8B5fCePuRwK0N
hxxp://www.google.com/webhp?emsg=NCSR&ei=0U9BTN2eNofEeJT25MUN
hxxp://www.google.com/webhp?emsg=NCSR&ei=309BTJW7KZD0eNCthbsN
hxxp://www.google.com/webhp?emsg=NCSR&ei=809BTKfYL4eMeLmC9cQN

While I was assessing what the heck might be going on, I suddenly noticed that two of Avast's "shields" were disabled (the web shield and the mail shield). I reactivated them but one reboot later and they were disabled again. This happened multiple times, though they seem to be staying on now...

Also about that time, I noticed that my recycle bin icon was not refreshing back to the "empty" icon when I'd empty it unless I hit F5. I'll admit, this might not be related, but I thought I should mention it. Might as well mention, too, that the first time I tried submitting this thread, the system locked up to the point where I had to reset it, which hasn't happened before.

The logs requested by the eight steps are attached to this message.

I can't express how grateful I am that there are kind people that so graciously give their time and effort to help out people like me. Thank you in advance!

NOTE from Bobbye: I have edited the URLs so they are not valid hyperlinks. It's okay to leave examples, but when it isn't known whether they have malware, the URL should not be typed in as a link.

 

[Bobbye]

I have edited the URLs you left so that they are not valid links.
I notice you have the program UnHackMe. This is an Anti Rootkit Software program. It is not advisable to run this type of program without the guidance or recommendation of your helper.

I also notice Combofix running, installed on the same date, 7/17, which is also the date of the log. Please disable UnHackMe and any other similar programs while I am helping you.

Since you already have Combofix::

1. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
2. .Close any open browsers.
3. . Double click combofix.exe & follow the prompts to run.
4. NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
5. . If Combofix asks you to install Recovery Console, please allow it.
6. . If Combofix asks you to update the program, always allow.
7. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
8. . A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I may have you uninstall Combofix, then reinstall it deending on what I see.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[1010101]

I had already uninstalled UnHackMe prior to making the 8 step logs. Do current logs show it is still active in some way? I saw remnants of it during these next two scans, though I suppose those were just files left over? The requested logs are attached. Thank you.

 

[Bobbye]

DDS (Ver_10-03-17.01) - NTFSx86
Run by 1010101 at 3:08:56.42 on Sat 07/17/2010
Section: Created Last 30
2010-07-17 04:55:32 0 d-----w- c:\program files\UnHackMe201
-------------------------------------
ComboFix 10-07-16.01 - 1010101 07/17/2010 14:16:04.2.2 - x86
Files Created from 2010-06-17 to 2010-07-17
2010-07-17 04:55 . 2010-07-17 06:25 -------- d-----w- c:\program files\UnHackMe

Don't shoot me! Can only go by what I see. I can remove this entry in the script I write for you.

You can go ahead and run this for the entries found in Eset:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Inbox	
  C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Sent		
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

It looks like you may have opened an attachment that came in your email. It was infected by the HTML/TrojanClicker.IFrame.NAG trojan.
Then your Sent box has multiple threats in it.

I advise you to look into how you can delete both your Inbox and Sent box. I know it can be done in OE, but am not familiar with how in Thunderbird. Check the support site. If it's like OE, all of the mail in the box will be removed when you delete a store box. So be sure you deal with any incoming mail first. Stay away from any attachments and limit your sending until the mail boxes are clean.

The other entries, in System Volume are in the restore points which I will have you drop at the end of cleaning. They are not active in the system. Do not attempt to do a system restore however until I have had you remove them

Will review Combofix in a bit.

 

[Bobbye]

I'd like you to run HijackThis and paste the log in your next reply:

Choose v2.0.4

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I note that you did some serious game downloading especially on 7/8 and 7/11/2010. Can you relate any of the current problems to shortly after that? Games themselves can be legitimate, but sometimes either the sites where you play or where you got the downloads can have malicious content.

It's very important that you paste the HJT log in your post. That way, I can search directly from my browser and not have to do copy and paste which is taking me too long.

It is also important that you don't add anything new as it will change the logs.

 

[1010101]

OTMoveIt log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Inbox moved successfully.
C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Sent moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: 1010101
->Temp folder emptied: 205048 bytes
->Temporary Internet Files folder emptied: 693161 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 97474078 bytes
->Flash cache emptied: 4120 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 94.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07192010_194755

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:57:03 PM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1271216732546
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5863 bytes

Regarding the 7/08 and 7/11 stuff, I don't think I had any issues back then. Now, the one installed on 7/8 was done by my brother while he was here visiting, so I can't say for certain that it was clean, but the 7/11 one is an MMO I resubscribed to (Age of Conan) and came directly from the company's servers (they let you download it to encourage you to come back and it was far easier than digging through the garage for the discs ). I know that I'd been doing Google searches for the MMO, though, after I started playing again, and that would be after the 7/08 one, and I didn't have any problems. The first time I noticed a problem was the day before my first post. I can't promise no problem existed before then, of course.

As far as email goes, I don't tend to open attachments at all in emails. Don't think that I've opened an attachment in over a year, honestly.

Thanks so much for your help so far. Top notch and I greatly appreciate it.

Again, thank you. Means the world to me.

Oh, and might as well mention that the redirect is still happening, but I would suppose we haven't gotten that far yet

 

[1010101]

I apologize if consecutive posts is frowned upon here, but I wanted to let you know that the OTMoveIt stuff did get my Thunderbird inbox and sent folders. I know you had mentioned you weren't sure about how to do it in Thunderbird.

 

[Bobbye]

If the program had been in Outlook Express, I would have removed entries in OTMoveIt and then recommended that both the Inbox and the Sent box be deleted. OE then builds a new stops box. I did tell you that I don't know the procedure for Thunderbird and advised you to check their support.

 

[1010101]

That's all I was doing was letting you know. It just wiped the contents of both boxes. That's what you wanted, or as I understood it. Was just confirming that the OTMoveIt script did empty both (it did not delete the folders themselves, or rather I suppose Thunderbird just recreated empty versions of both upon starting and not finding them). No problem with that, I hope?

Thank you again.

 

[1010101]

An interesting turn of events, at least from my perspective. I rebooted again a few moments ago (well, actually shut down and restarted a few minutes later... had a fan making noise in the tower I wanted to check out) and now the redirect isn't happening.

OTMoveIt had me reboot, though, so I find it odd. Rebooted again just to see if the problem came back, and it didn't. Is it possible it was something hiding in the Firefox cache, perhaps, and OTMoveIt took care of it? Doesn't explain how it survived one reboot, though, but not a second. Then again, what do I know?

I won't consider the system clean until you declare it so, so no worries about me running off and going crazy.

Thanks so much for the help so far.

 

[Bobbye]

Good to known the store boxes for the email were handled. Save you having to do it. About the reboots. I won't attempt to second guess that but if you want to see if they had any significance, use the Event Viewer. You'll have to guess the time:

If you haven't used this feature before, know that the OS logs everything that happens. You'll see a lot of Information Events and that's all they are> telling you what the OS was doing at that time. You'll see Warnings which usually resolve and if they don't, you will see Errors. Since the Events are time-coded, it's a great diagnostic function:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:

1. 
   [1]. Click to open the log>
   [2]. Look for the Error>
   [3] .Double click on the Error: you will see Event ID#, Source and Description.
   [4]. Click on Copy button, top right, if you want.
   [5]. Paste in Wordpad or Notepad (Ctrl V)

This is an FYI for you so you don't need to paste the Errors here.
Understand that OTM had you reboot because it was part of the removal process. It was a 'restart' or 'warm boot.' The CPU and peripherals are already powered up. When you rebooted again, since you shut down first, that was a 'cold boot' or 'hard boot'. This clears memory and many internal settings.

The HijackThis log is fine. Just a few moves in Combofix:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\UnHackMe
c:\windows\iun507.exe

FileLook::
c:\windows\winstart.bat

Folder::

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please include this log- there is one file I want to check.
====================
If this is clear and if the original problems have been resolved, I'll have you remove the cleaning tools and their logs.

 

[1010101]

Thanks so much! Here is the ComboFix log (ComboFix did ask to update, which I allowed it to do; hope that was okay).

Ugh. Log is too long to paste into the body; will break this into two posts:

ComboFix 10-07-20.01 - 1010101 07/21/2010 0:08.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1156 [GMT -4:00]
Running from: c:\documents and settings\1010101\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1010101\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\UnHackMe"
"c:\windows\iun507.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\iun507.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-19 23:56 . 2010-07-19 23:56 388096 ----a-r- c:\documents and settings\1010101\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-19 23:56 . 2010-07-19 23:56 -------- d-----w- c:\program files\Trend Micro
2010-07-19 23:47 . 2010-07-19 23:47 -------- d-----w- C:\_OTM
2010-07-19 11:47 . 2010-07-19 11:47 115120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-18 05:04 . 2010-07-18 05:04 -------- d-----w- C:\Temp
2010-07-18 05:03 . 2010-07-18 05:06 -------- d-----w- c:\program files\Winnydows
2010-07-17 18:30 . 2010-07-17 18:30 -------- d-----w- c:\program files\ESET
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\1010101\Application Data\Malwarebytes
2010-07-17 06:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-17 06:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 05:05 . 2010-07-17 05:05 2 --shatr- c:\windows\winstart.bat
2010-07-17 04:55 . 2010-07-17 06:25 -------- d-----w- c:\program files\UnHackMe
2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-17 04:16 . 2010-07-17 04:16 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Sunbelt Software
2010-07-17 00:55 . 2010-07-17 00:55 -------- d-----w- c:\documents and settings\1010101\Application Data\TightVNC
2010-07-16 17:47 . 2010-07-16 17:47 -------- d-----w- c:\documents and settings\1010101\Application Data\Smith Micro
2010-07-16 17:46 . 2007-02-28 04:57 61440 ----a-w- c:\windows\system32\pthswmcp.dll
2010-07-16 17:46 . 2010-07-16 17:46 -------- d-----w- c:\program files\PANTECH
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\VerizonWireless
2010-07-16 17:45 . 2007-02-26 10:46 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-07-16 17:45 . 2010-07-16 17:45 53248 ----a-r- c:\documents and settings\1010101\Application Data\Microsoft\Installer\{08DEC21F-F7E5-46F9-81D1-3ED30BD3AEC9}\ARPPRODUCTICON.exe
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\DGSETUP
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\LG Electronics
2010-07-16 17:44 . 2010-07-16 17:44 -------- d-----w- c:\program files\Samsung
2010-07-16 17:44 . 2009-01-09 20:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-----w- c:\program files\Motorola
2010-07-16 17:38 . 2010-04-01 18:31 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2010-07-16 17:38 . 2010-01-25 23:56 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2010-07-16 17:38 . 2009-01-29 21:11 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2010-07-16 17:38 . 2009-10-27 16:02 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
2010-07-16 17:38 . 2009-06-19 20:59 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2010-07-16 17:38 . 2009-01-29 21:18 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2010-07-16 17:38 . 2007-11-02 19:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2010-07-16 17:38 . 2010-07-16 17:38 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-07-16 16:07 . 2010-07-16 16:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2010-07-16 16:07 . 2010-07-17 04:00 -------- d-----w- c:\program files\TightVNC
2010-07-16 16:01 . 2010-07-16 16:01 -------- d-----w- c:\program files\Common Files\Java
2010-07-14 05:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 02:14 . 2010-07-13 02:14 -------- d-----w- c:\program files\QuickTime
2010-07-13 02:05 . 2010-07-13 02:05 -------- d-----w- c:\program files\Apple Software Update
2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\program files\AoCQS
2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Vikingworks
2010-07-11 21:42 . 2010-07-11 21:42 -------- d-----w- c:\program files\VikingWorks
2010-07-11 07:07 . 2010-07-11 07:11 -------- d-----w- c:\documents and settings\1010101\Application Data\WallpaperSSPro
2010-07-11 07:07 . 2010-07-11 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-11 03:15 . 2010-07-11 03:15 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Funcom
2010-07-11 03:12 . 2010-07-11 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\media center programs
2010-07-11 02:00 . 2010-07-11 02:00 -------- d-----w- c:\program files\Funcom
2010-07-11 01:59 . 2010-07-11 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Funcom
2010-07-10 06:03 . 2010-07-10 06:03 -------- d-----w- c:\program files\Bluetack
2010-07-08 04:21 . 2010-07-08 04:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2010-07-08 04:08 . 2010-07-08 04:08 -------- d-----w- c:\program files\2K Games
2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\DIFX
2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-07 04:33 . 2010-07-07 04:39 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\pcsx2
2010-07-07 04:33 . 2010-07-07 04:59 -------- d-----w- c:\program files\PCSX2 0.9.7
2010-07-04 06:38 . 2010-07-04 06:42 -------- d-----w- c:\program files\MMSSTV
2010-07-01 12:46 . 2009-12-21 23:20 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2010-07-01 01:14 . 2010-07-01 01:18 -------- d-----w- c:\program files\VitalDesktop
2010-06-30 21:15 . 2007-01-24 02:14 69632 ----a-w- c:\windows\system32\RemoveFocusRect.dll
2010-06-30 20:09 . 2010-06-30 20:19 -------- d-----w- c:\documents and settings\1010101\Application Data\Dream Aquarium
2010-06-30 20:08 . 2010-06-30 20:09 -------- d-----w- c:\program files\Dream Aquarium
2010-06-29 03:30 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 03:48 . 2010-03-27 07:37 -------- d-----w- c:\documents and settings\1010101\Application Data\uTorrent
2010-07-20 05:57 . 2010-03-27 08:01 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-18 11:51 . 2010-05-02 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-07-18 05:14 . 2010-04-28 06:10 -------- d-----w- c:\documents and settings\1010101\Application Data\avidemux
2010-07-17 06:25 . 2010-05-04 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-16 17:47 . 2010-03-27 06:46 47240 ----a-w- c:\documents and settings\1010101\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-16 17:45 . 2010-03-27 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-16 17:44 . 2010-03-27 06:08 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Motousbnet_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motfilt_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motusbdevice_01007.Wdf
2010-07-16 15:58 . 2010-04-25 03:53 -------- d-----w- c:\program files\Java
2010-07-13 02:15 . 2010-05-03 03:21 -------- d-----w- c:\program files\Common Files\Apple
2010-07-13 02:14 . 2010-05-03 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-11 01:58 . 2010-05-20 03:01 -------- d-----w- c:\documents and settings\1010101\Application Data\FileZilla
2010-07-11 01:48 . 2010-05-20 03:01 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-09 07:20 . 2010-03-27 08:02 -------- d-----w- c:\program files\IconTweaker
2010-07-08 04:06 . 2010-05-09 01:47 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-30 02:37 . 2010-05-31 07:47 -------- d-----w- c:\program files\Valve
2010-06-28 20:57 . 2010-03-27 08:17 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-27 08:17 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-27 08:17 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-27 08:17 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-27 08:17 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-27 08:17 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-27 08:17 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-27 08:17 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 05:50 . 2010-06-02 03:51 -------- d-----w- c:\program files\Half-Life 2 Ultimate Edition 7
2010-06-22 08:36 . 2010-04-25 03:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 04:25 . 2010-06-20 04:25 -------- d-----w- c:\program files\Virtual Earth 3D
2010-06-14 14:31 . 2010-03-27 06:57 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-11 05:29 . 2010-06-11 05:29 -------- d-----w- c:\program files\BreakPoint Software
2010-06-10 07:50 . 2010-05-06 02:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 05:26 . 2010-06-03 05:26 -------- d-----w- c:\program files\Majesco Entertainment
2010-06-02 08:55 . 2010-07-07 04:51 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55 . 2010-07-07 04:51 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55 . 2010-07-07 04:51 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-01 01:09 . 2010-06-01 01:09 -------- d-----w- c:\program files\Nem's Tools
2010-05-31 22:41 . 2010-05-31 22:41 -------- d-----w- c:\program files\CFToolbox
2010-05-27 03:04 . 2010-05-03 03:23 -------- d-----w- c:\program files\iTunes
2010-05-26 15:41 . 2010-07-07 04:51 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-23 06:59 . 2010-05-20 08:17 -------- d-----w- c:\program files\RogueSynapse
2010-05-23 06:55 . 2010-05-23 06:55 -------- d-----w- c:\documents and settings\1010101\Application Data\Wenovo
2010-05-23 00:48 . 2010-05-23 00:48 61440 ----a-w- c:\documents and settings\1010101\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6520c7bd-n\decora-sse.dll
2010-05-23 00:48 . 2010-05-23 00:48 503808 ----a-w- c:\documents and settings\1010101\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3042b4b7-n\msvcp71.dll
2010-05-23 00:48 . 2010-05-23 00:48 499712 ----a-w- c:\documents and settings\1010101\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3042b4b7-n\jmc.dll
2010-05-23 00:48 . 2010-05-23 00:48 12800 ----a-w- c:\documents and settings\1010101\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6520c7bd-n\decora-d3d.dll
2010-05-23 00:48 . 2010-05-23 00:48 348160 ----a-w- c:\documents and settings\1010101\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3042b4b7-n\msvcr71.dll
2010-05-22 05:24 . 2010-05-03 03:24 -------- d-----w- c:\documents and settings\1010101\Application Data\Apple Computer
2010-05-21 02:24 . 2010-05-21 02:25 873472 ----a-w- c:\windows\WATERYDS.SCR
2010-05-19 23:03 . 2010-05-19 23:03 61440 ----a-r- c:\documents and settings\1010101\Application Data\Microsoft\Installer\{1A621A2F-98F6-4373-89A2-8ED16076990A}\NewShortcut1_1A621A2F98F6437389A28ED16076990A.exe
2010-05-19 23:03 . 2010-05-19 23:03 40960 ----a-r- c:\documents and settings\1010101\Application Data\Microsoft\Installer\{1A621A2F-98F6-4373-89A2-8ED16076990A}\NewShortcut2_1A621A2F98F6437389A28ED16076990A.exe
2010-05-09 15:41 . 2010-05-09 15:41 4096 ----a-w- c:\windows\d3dx.dat
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 04:42 . 2010-05-04 04:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\documents and settings\1010101\Application Data\pcouffin.sys
2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\documents and settings\1010101\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\winstart.bat ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 2
Created time: 2010-07-17 05:05
Modified time: 2010-07-17 05:05
MD5: 81051BCC2CF1BEDF378224B0A93E2877
SHA1: BA8AB5A0280B953AA97435FF8946CBCBB2755A27

 

[1010101]

((((((((((((((((((((((((((((( SnapShot@2010-07-17_05.43.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-21 04:03 . 2010-07-21 04:03 16384 c:\windows\Temp\Perflib_Perfdata_5d8.dat
+ 2010-07-19 23:56 . 2010-07-19 23:56 1094656 c:\windows\Installer\5945b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-05-03 86016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^1010101^Start Menu^Programs^Startup^V CAST Media Monitor.lnk]
path=c:\documents and settings\1010101\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
backup=c:\windows\pss\V CAST Media Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 16:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 23:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 03:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 03:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\ucs.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Utilities\\eMule0.50a\\emule.exe"=
"c:\\Program Files\\Valve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine3\\hl2.exe"=
"c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine2\\hl2.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\EQEmuLoginServer.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\World.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\Zone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc port
"8080:TCP"= 8080:TCP:uTorrent Web GUI

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/27/2010 4:17 AM 165456]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [3/27/2010 9:45 PM 112835]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/27/2010 4:17 AM 17744]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/16/2010 1:39 PM 91456]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [3/27/2010 9:45 PM 5325]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 11:30 AM 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [7/16/2010 1:38 PM 6016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/16/2010 1:38 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/16/2010 1:38 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [7/16/2010 1:38 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [7/16/2010 1:38 PM 9472]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/13/2010 11:36 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\1010101\Application Data\Mozilla\Firefox\Profiles\q1a9n599.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\1010101\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-TRON 2.0 v1.042 Update - c:\windows\iun507.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-573735546-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:0e,57,66,6a,95,67,b2,c0,d5,d4,7f,33,79,f4,46,2b,d0,b7,a0,c5,2b,
ad,84,62,c5,8f,81,1e,ad,83,56,09,a7,d6,71,16,d7,a9,72,34,e6,0f,21,82,ba,e6,\
"rkeysecu"=hex:d1,75,00,ed,a9,5c,42,7e,2f,60,b3,f5,b0,6a,27,23
.
Completion time: 2010-07-21 00:19:11
ComboFix-quarantined-files.txt 2010-07-21 04:19
ComboFix2.txt 2010-07-17 05:46

Pre-Run: 24,431,792,128 bytes free
Post-Run: 24,425,361,408 bytes free

- - End Of File - - 95FC54D698670664B164B1A0EDC019A1

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::

Folder::
c:\program files\UnHackMe
Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
====================
Are there any malware related problems remaining?

 

[1010101]

Ran ComboFix with the script as instructed. It wanted to update again, so I let it. It sat on the screen where it says it is producing the log for a VERY long time compared to the other times I ran it. I see a new section in the log:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spig.sys >>UNKNOWN [0x8A286938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764bf28
\Driver\ACPI -> ACPI.sys @ 0xf74a3cb8
\Driver\atapi -> atapi.sys @ 0xf7978b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7b3cb0a
PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21
SendHandler -> NDIS.sys @ 0xf7b3c949
user & kernel MBR OK

**************************************************************************

I'm seeing no problems with the system at all (thank you!), but should I be at all concerned about the UNKNOWN thing in the new ComboFix log?

I'm very happy that everything seems to be working so well and just want to be sure

Thank you!

 

[Bobbye]

You don't need to copy anything from the logs. I see it all when I open it. You also don't need to put the logs in a quote> that cuts down on the space.

Ran ComboFix with the script as instructed.

I need the log please.

 

[1010101]

Log follows in the next two posts. Thank you.

ComboFix 10-07-21.01 - 1010101 07/21/2010 19:55:05.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1104 [GMT -4:00]
Running from: c:\documents and settings\1010101\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1010101\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\UnHackMe
c:\program files\UnHackMe\appdata.exe
c:\program files\UnHackMe\appdata.ini
c:\program files\UnHackMe\database.rdb
c:\program files\UnHackMe\insdata.exe
c:\program files\UnHackMe\readmea.txt
c:\program files\UnHackMe\reanimator.ini
c:\program files\UnHackMe\reanimator.zip
c:\program files\UnHackMe\ReanimatorStart.exe
c:\program files\UnHackMe\unhackme.ini
c:\program files\UnHackMe\unhackme.log
c:\program files\UnHackMe\unins001.dat
c:\program files\UnHackMe\unins001.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-21 13:21 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-07-21 13:21 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-19 23:56 . 2010-07-19 23:56 -------- d-----w- c:\program files\Trend Micro
2010-07-19 23:47 . 2010-07-19 23:47 -------- d-----w- C:\_OTM
2010-07-19 11:47 . 2010-07-19 11:47 115120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-18 05:04 . 2010-07-18 05:04 -------- d-----w- C:\Temp
2010-07-18 05:03 . 2010-07-18 05:06 -------- d-----w- c:\program files\Winnydows
2010-07-17 18:30 . 2010-07-17 18:30 -------- d-----w- c:\program files\ESET
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\1010101\Application Data\Malwarebytes
2010-07-17 06:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-17 06:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 05:05 . 2010-07-17 05:05 2 --shatr- c:\windows\winstart.bat
2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-17 04:16 . 2010-07-17 04:16 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Sunbelt Software
2010-07-17 00:55 . 2010-07-17 00:55 -------- d-----w- c:\documents and settings\1010101\Application Data\TightVNC
2010-07-16 17:47 . 2010-07-16 17:47 -------- d-----w- c:\documents and settings\1010101\Application Data\Smith Micro
2010-07-16 17:46 . 2007-02-28 04:57 61440 ----a-w- c:\windows\system32\pthswmcp.dll
2010-07-16 17:46 . 2010-07-16 17:46 -------- d-----w- c:\program files\PANTECH
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\VerizonWireless
2010-07-16 17:45 . 2007-02-26 10:46 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\DGSETUP
2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\LG Electronics
2010-07-16 17:44 . 2010-07-16 17:44 -------- d-----w- c:\program files\Samsung
2010-07-16 17:44 . 2009-01-09 20:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-07-16 17:39 . 2010-07-16 17:39 -------- d-----w- c:\program files\Motorola
2010-07-16 17:38 . 2009-07-10 17:01 25856 ----a-w- c:\windows\system32\drivers\motoandroid.sys
2010-07-16 17:38 . 2010-04-01 18:31 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2010-07-16 17:38 . 2010-01-25 23:56 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2010-07-16 17:38 . 2009-01-29 21:11 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2010-07-16 17:38 . 2009-10-27 16:02 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
2010-07-16 17:38 . 2009-06-19 20:59 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2010-07-16 17:38 . 2009-01-29 21:18 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2010-07-16 17:38 . 2007-11-02 19:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2010-07-16 17:38 . 2010-07-16 17:38 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-07-16 16:07 . 2010-07-16 16:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2010-07-16 16:07 . 2010-07-17 04:00 -------- d-----w- c:\program files\TightVNC
2010-07-16 16:01 . 2010-07-16 16:01 -------- d-----w- c:\program files\Common Files\Java
2010-07-14 05:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 02:14 . 2010-07-13 02:14 -------- d-----w- c:\program files\QuickTime
2010-07-13 02:05 . 2010-07-13 02:05 -------- d-----w- c:\program files\Apple Software Update
2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\program files\AoCQS
2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Vikingworks
2010-07-11 21:42 . 2010-07-11 21:42 -------- d-----w- c:\program files\VikingWorks
2010-07-11 07:07 . 2010-07-11 07:11 -------- d-----w- c:\documents and settings\1010101\Application Data\WallpaperSSPro
2010-07-11 07:07 . 2010-07-11 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-11 03:15 . 2010-07-11 03:15 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Funcom
2010-07-11 03:12 . 2010-07-11 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\media center programs
2010-07-11 02:00 . 2010-07-11 02:00 -------- d-----w- c:\program files\Funcom
2010-07-11 01:59 . 2010-07-11 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Funcom
2010-07-10 06:03 . 2010-07-10 06:03 -------- d-----w- c:\program files\Bluetack
2010-07-08 04:21 . 2010-07-08 04:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2010-07-08 04:08 . 2010-07-08 04:08 -------- d-----w- c:\program files\2K Games
2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\DIFX
2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-07 04:33 . 2010-07-07 04:39 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\pcsx2
2010-07-07 04:33 . 2010-07-07 04:59 -------- d-----w- c:\program files\PCSX2 0.9.7
2010-07-04 06:38 . 2010-07-04 06:42 -------- d-----w- c:\program files\MMSSTV
2010-07-01 12:46 . 2009-12-21 23:20 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2010-07-01 01:14 . 2010-07-01 01:18 -------- d-----w- c:\program files\VitalDesktop
2010-06-30 21:15 . 2007-01-24 02:14 69632 ----a-w- c:\windows\system32\RemoveFocusRect.dll
2010-06-30 20:09 . 2010-06-30 20:19 -------- d-----w- c:\documents and settings\1010101\Application Data\Dream Aquarium
2010-06-30 20:08 . 2010-06-30 20:09 -------- d-----w- c:\program files\Dream Aquarium
2010-06-29 03:30 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 23:50 . 2010-03-27 07:37 -------- d-----w- c:\documents and settings\1010101\Application Data\uTorrent
2010-07-21 15:38 . 2010-03-27 08:01 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-21 13:21 . 2010-07-21 13:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-07-18 11:51 . 2010-05-02 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-07-18 05:14 . 2010-04-28 06:10 -------- d-----w- c:\documents and settings\1010101\Application Data\avidemux
2010-07-17 06:25 . 2010-05-04 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-16 17:47 . 2010-03-27 06:46 47240 ----a-w- c:\documents and settings\1010101\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-16 17:45 . 2010-03-27 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-16 17:44 . 2010-03-27 06:08 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Motousbnet_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motfilt_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motusbdevice_01007.Wdf
2010-07-16 15:58 . 2010-04-25 03:53 -------- d-----w- c:\program files\Java
2010-07-13 02:15 . 2010-05-03 03:21 -------- d-----w- c:\program files\Common Files\Apple
2010-07-13 02:14 . 2010-05-03 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-11 01:58 . 2010-05-20 03:01 -------- d-----w- c:\documents and settings\1010101\Application Data\FileZilla
2010-07-11 01:48 . 2010-05-20 03:01 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-09 07:20 . 2010-03-27 08:02 -------- d-----w- c:\program files\IconTweaker
2010-07-08 04:06 . 2010-05-09 01:47 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-30 02:37 . 2010-05-31 07:47 -------- d-----w- c:\program files\Valve
2010-06-28 20:57 . 2010-03-27 08:17 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-03-27 08:17 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-03-27 08:17 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-03-27 08:17 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-03-27 08:17 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-03-27 08:17 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-03-27 08:17 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-03-27 08:17 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 05:50 . 2010-06-02 03:51 -------- d-----w- c:\program files\Half-Life 2 Ultimate Edition 7
2010-06-22 08:36 . 2010-04-25 03:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 04:25 . 2010-06-20 04:25 -------- d-----w- c:\program files\Virtual Earth 3D
2010-06-14 14:31 . 2010-03-27 06:57 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-11 05:29 . 2010-06-11 05:29 -------- d-----w- c:\program files\BreakPoint Software
2010-06-10 07:50 . 2010-05-06 02:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 05:26 . 2010-06-03 05:26 -------- d-----w- c:\program files\Majesco Entertainment
2010-06-02 08:55 . 2010-07-07 04:51 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55 . 2010-07-07 04:51 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55 . 2010-07-07 04:51 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-01 01:09 . 2010-06-01 01:09 -------- d-----w- c:\program files\Nem's Tools
2010-05-31 22:41 . 2010-05-31 22:41 -------- d-----w- c:\program files\CFToolbox
2010-05-27 03:04 . 2010-05-03 03:23 -------- d-----w- c:\program files\iTunes
2010-05-26 15:41 . 2010-07-07 04:51 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-07-07 04:51 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-23 06:59 . 2010-05-20 08:17 -------- d-----w- c:\program files\RogueSynapse
2010-05-23 06:55 . 2010-05-23 06:55 -------- d-----w- c:\documents and settings\1010101\Application Data\Wenovo
2010-05-21 02:24 . 2010-05-21 02:25 873472 ----a-w- c:\windows\WATERYDS.SCR
2010-05-09 15:41 . 2010-05-09 15:41 4096 ----a-w- c:\windows\d3dx.dat
2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 04:42 . 2010-05-04 04:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\documents and settings\1010101\Application Data\pcouffin.sys
.

 

[1010101]

((((((((((((((((((((((((((((( SnapShot@2010-07-17_05.43.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-22 00:05 . 2010-07-22 00:05 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
+ 2010-07-19 23:56 . 2010-07-19 23:56 1094656 c:\windows\Installer\5945b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-05-03 86016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^1010101^Start Menu^Programs^Startup^V CAST Media Monitor.lnk]
path=c:\documents and settings\1010101\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
backup=c:\windows\pss\V CAST Media Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 16:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 23:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 03:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 03:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\ucs.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Utilities\\eMule0.50a\\emule.exe"=
"c:\\Program Files\\Valve\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine3\\hl2.exe"=
"c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine2\\hl2.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\EQEmuLoginServer.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\World.exe"=
"c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\Zone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc port
"8080:TCP"= 8080:TCP:uTorrent Web GUI

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/13/2010 11:36 PM 691696]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/27/2010 4:17 AM 165456]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [3/27/2010 9:45 PM 112835]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/27/2010 4:17 AM 17744]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/16/2010 1:39 PM 91456]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [3/27/2010 9:45 PM 5325]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 11:30 AM 136176]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [7/16/2010 1:38 PM 25856]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [7/16/2010 1:38 PM 6016]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/16/2010 1:38 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/16/2010 1:38 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [7/16/2010 1:38 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [7/16/2010 1:38 PM 9472]
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]

2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\1010101\Application Data\Mozilla\Firefox\Profiles\q1a9n599.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\1010101\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spig.sys >>UNKNOWN [0x8A286938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764bf28
\Driver\ACPI -> ACPI.sys @ 0xf74a3cb8
\Driver\atapi -> atapi.sys @ 0xf7978b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7b3cb0a
PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21
SendHandler -> NDIS.sys @ 0xf7b3c949
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-573735546-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:0e,57,66,6a,95,67,b2,c0,d5,d4,7f,33,79,f4,46,2b,d0,b7,a0,c5,2b,
ad,84,62,c5,8f,81,1e,ad,83,56,09,a7,d6,71,16,d7,a9,72,34,e6,0f,21,82,ba,e6,\
"rkeysecu"=hex:d1,75,00,ed,a9,5c,42,7e,2f,60,b3,f5,b0,6a,27,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1980)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
.
**************************************************************************
.
Completion time: 2010-07-21 20:13:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-22 00:13
ComboFix2.txt 2010-07-21 04:19
ComboFix3.txt 2010-07-17 05:46

Pre-Run: 20,004,106,240 bytes free
Post-Run: 20,032,823,296 bytes free

- - End Of File - - BB21A959B86EB6328E7026E91A0D36D2

 

[Bobbye]

I have a question if you don't mind helping me out. Ive seen the numerous entries for the Tortoise Overlays. I did some searching but it has only produced that the program is for icon overlays in Windows 7.

But there are so many entries- from shell iconoverlayidentifiers\1TortoiseNormal numerical to #8 and files for TortoiseModified. Conflict, Locked, ReadOnly, etc. What is this program and how does it work?
====================================
I would like you to run the following though because of that 'unknown' section in Combofix:

Download Bootkit Remover and save to your Desktop

1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
3. You will see a Black screen with some data on it.
4. Right click on the screen and click Select All.
5. Press CTRL+C to Copy
6. Open a Notepad and press CTRL+V to Paste.
7. Include the report in your next post.

Credits to Broni

 

[1010101]

The Tortoise stuff is for icon overlays used by TortoiseSVN. I use it to update some database files for an EverQuest server emulator every now and then. You can read more about it at http://tortoisesvn.net/about. Open source and works well.

No issues at all to report with the system. Everything seems to be working well. Thanks so much for your time. That you do this for others is just amazing, really, and you guys all deserve tremendous thanks for your time and effort.

The contents of the Bootkit Remover screen follows. Ctrl-C doesn't work on that window, by the way, but right-clicking and choosing "Select All" followed by another right-click does copy the contents of the window into the clipboard.

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[Bobbye]

Thanks for the info. I did see a lot of sites with references, but just couldn't get a handle on it! I appreciate you patience and was glad to help.

The system looks good now so you can Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
===========================================
Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Let me know if you need any more help.

 

[1010101]

Thanks for all your help, Bobbye. Everything is working fantastically. Thanks, too, to Broni, who, based on one of your posts, lended an assist.

I appreciate the effort you put in. Thanks a million!

 

[Bobbye]

You're very welcome. Glad to help.