hijackthis help?

General Network security, firewalls, port filtering/forwarding, wireless security, anti-spyware, as well as spam control and privacy discussions.
Post Reply
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

hijackthis help?

Post by finalmidnight »

hey. been noticing whenever i search on google for something and i click any link, it will bring me to an advertisement site. if i hi back and then click the site again, it will go to the site. i looked up what i should do and they said to post the logs...please help

here are the logs from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:05 PM, on 10/15/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\Turbo Gear\GearHelp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Turbo Gear Help] "C:\Program Files\ASUS\Turbo Gear\GearHelp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Think Green Weather.lnk = C:\Program Files\Stardock\DesktopGadgets\Think Green Weather\Think Green Weather.exe (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {77BF5300-1474-4EC7-9980-D32B190E9B07} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O13 - Gopher Prefix:
O16 - DPF: Justin.tv Publisher - http://www.justin.tv/plugins/justintv_publisher.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: root - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9536 bytes
Top
User avatar
mnosteele52
Posts: 11913
Joined: Tue Jul 24, 2001 12:00 pm
Location: Chesapeake, VA

Post by mnosteele52 »

Hi finalmidnight, please remove the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {77BF5300-1474-4EC7-9980-D32B190E9B07} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
23 - Service: root - Unknown owner - C:\Program.exe (file missing)


I would then suggest using the Norton Removal Tool to cleanup the mess Norton left on your pc.

I would then suggest removing AVG and using Avira, it's much better and lighter.

You should also follow my Malware Removal Guide since HijackThis doesn't show everything that could be causing problems.
:D
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

ty, it made my pc quicker but my windows defender found a trojan which nothing else did. its called Trojan:Win32/Alureon.gen!U. And it cant delete it. anybody know how to delete it.

This is what Windows Defender says:

Error encountered:
Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.

Category:
Trojan

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
file:
globalroot\Device\Ide\IdePort1\ktxiuocj\ktxiuocj\tdlwsp.dll
Top
User avatar
mnosteele52
Posts: 11913
Joined: Tue Jul 24, 2001 12:00 pm
Location: Chesapeake, VA

Post by mnosteele52 »

I believe this file is part of Total Scanner one of the latest rogue anti-malware programs, it will crash Windows Defender and Microsoft Security Essentials making them useless. Did you install Avira? I believe it will remove this and also did you follow the instructions in my Malware Removal link? I know if you follow all of those instructions it will be removed.
:)
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

i tried your guide and it did get rid of a couple of stuff off my pc but the trojan is still there because i still get redirected to ad sites when i click a link on google. im running windows vista and using a velocitymicro notemagix x25 laptop. I also tried searching for the location and couldn't find it. The laptop didnt even come with a restore disc =(
Top
User avatar
YARDofSTUF
Posts: 70006
Joined: Sat Nov 11, 2000 12:00 am
Location: USA

Post by YARDofSTUF »

The laptop may have a partition on the hard drive to restore from.
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

yea, i looked up on google restoring to factory settings without the restore disk, but when i tried the commands such as(alt+f,alt+f10,alt+f11,f1, and f8)they didnt bring anything up with restoring to factory settings.
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

i got it popped up again and now i see its in a different location which i still cant find.

Resources:
file:
globalroot\Device\Ide\IdePort1\ctpjxieu\ctpjxieu\tdlwsp.dll
Top
User avatar
YARDofSTUF
Posts: 70006
Joined: Sat Nov 11, 2000 12:00 am
Location: USA

Post by YARDofSTUF »

Have you tried using Avira?

Another popular alternative seems to be combofix:

http://www.bleepingcomputer.com/combofi ... e-combofix
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

ya im using avira right now and it aint picking the torjan up. Also combofix crashes when it starts to scan my computer.
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

i have recently tried running combofix again and had to update it. It found a rootkit and restarted my pc. I have it running again and will post the log once it is done. i am on a different computer at the moment.
Top
finalmidnight
New Member
Posts: 8
Joined: Thu Oct 15, 2009 10:56 pm

Post by finalmidnight »

ok here it is...also i noticed i dont get redirected to ad links in google anymore:

ComboFix 09-10-21.02 - gangstajosh55 10/22/2009 14:19.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.983 [GMT -4:00]
Running from: c:\users\gangstajosh55\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1058363464-448097358-1522403579-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3794764448-4140279499-1948654948-1000
C:\install.exe
c:\windows\icon.ico

.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-22 18:33 . 2009-10-22 18:34 -------- d-----w- c:\users\gangstajosh55\AppData\Local\temp
2009-10-22 18:33 . 2009-10-22 18:33 -------- d-----w- c:\users\Mcx2\AppData\Local\temp
2009-10-22 18:33 . 2009-10-22 18:33 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-10-22 18:33 . 2009-10-22 18:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-22 18:33 . 2009-10-22 18:33 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-10-21 20:09 . 2009-10-21 20:09 -------- d-----w- C:\$WINDOWS.~LS
2009-10-21 20:08 . 2009-10-21 20:08 -------- d-----w- C:\$WINDOWS.~BT
2009-10-18 01:31 . 2009-10-18 01:31 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2009-10-18 00:55 . 2009-10-18 00:58 -------- d-----w- c:\program files\SpywareBlaster
2009-10-17 20:05 . 2009-10-17 22:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-17 20:05 . 2009-10-17 22:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-17 20:03 . 2009-10-17 20:03 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\Malwarebytes
2009-10-17 20:03 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 20:03 . 2009-10-17 20:03 -------- d-----w- c:\programdata\Malwarebytes
2009-10-17 20:03 . 2009-10-17 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 20:03 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 18:45 . 2009-10-16 20:59 -------- d-----w- c:\program files\ThreatFire
2009-10-16 18:45 . 2009-10-16 18:45 -------- d-----w- c:\programdata\PC Tools
2009-10-16 18:36 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-16 18:36 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-16 18:36 . 2009-10-16 18:36 -------- d-----w- c:\programdata\Avira
2009-10-16 18:36 . 2009-10-16 18:36 -------- d-----w- c:\program files\Avira
2009-10-16 16:58 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 16:58 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 16:58 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 16:56 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 16:55 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 16:55 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 02:46 . 2009-10-16 02:46 -------- d-----w- c:\program files\Trend Micro
2009-10-14 06:22 . 2009-10-14 06:22 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-13 19:57 . 2009-10-13 19:57 -------- d-----w- c:\program files\BreakPoint Software
2009-10-13 19:49 . 2009-10-13 19:49 -------- d-sha-w- c:\users\Public\DRM
2009-10-13 06:10 . 2009-10-16 18:29 -------- d-----w- c:\programdata\avg9
2009-10-13 05:10 . 2009-10-13 05:10 -------- d-----w- c:\users\gangstajosh55\AppData\Local\AIM
2009-10-11 21:06 . 2009-10-11 21:06 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-11 21:05 . 2009-10-11 21:05 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-10-11 21:05 . 2009-10-11 21:05 -------- d-sh--w- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-10-08 21:48 . 2009-10-08 21:48 -------- d-----w- c:\users\gangstajosh55\AppData\Local\Turbine
2009-10-08 21:40 . 2009-10-08 21:40 -------- d-----w- c:\users\gangstajosh55\AppData\Local\Turbine,_Inc
2009-10-08 21:39 . 2009-10-13 06:56 -------- d-----w- c:\program files\Turbine
2009-10-07 03:52 . 2009-10-07 03:52 -------- d-----w- c:\temp\MTGOInstall
2009-10-07 03:48 . 2009-10-07 03:56 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\Wizards of the Coast
2009-10-06 05:18 . 2009-10-06 05:18 -------- d-----w- c:\users\gangstajosh55\AppData\Local\PunkBuster
2009-10-05 05:36 . 2004-02-17 04:00 434252 ----a-w- c:\windows\system32\MSVCRTD.DLL
2009-10-05 05:36 . 2006-06-24 01:38 452096 ----a-w- c:\windows\system32\nmap.exe
2009-10-05 05:36 . 2006-06-24 01:38 192 ----a-w- c:\windows\system32\nmap_performance.reg
2009-10-05 05:36 . 2004-02-27 04:00 962612 ----a-w- c:\windows\system32\MFC42D.DLL
2009-10-05 05:36 . 2004-02-27 04:00 61493 ----a-w- c:\windows\system32\MFCN42D.DLL
2009-10-05 05:36 . 2002-11-20 23:44 77824 ----a-w- c:\windows\system32\nmapwin.exe
2009-10-05 05:36 . 2002-11-20 22:06 290816 ----a-w- c:\windows\system32\nmapserv.exe
2009-10-05 05:36 . 2001-11-27 04:13 114688 ----a-w- c:\windows\system32\CCGNU32.dll
2009-10-05 05:35 . 2003-03-19 06:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-10-05 05:35 . 1999-04-17 04:06 10752 ----a-w- c:\windows\system32\aamd532.dll
2009-10-05 05:35 . 2004-03-02 00:55 561179 ----a-w- c:\windows\system32\dao360.dll
2009-10-05 05:35 . 1998-06-18 04:00 299008 ----a-w- c:\windows\system32\MSDBRPTR.DLL
2009-10-05 05:35 . 1998-06-09 04:00 137216 ----a-w- c:\windows\system32\MSDERUN.DLL
2009-10-05 05:35 . 1999-03-26 07:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-10-05 05:35 . 2009-10-16 20:02 -------- d-----w- c:\program files\Net Tools
2009-10-05 03:04 . 2009-10-05 03:04 -------- d-----w- c:\users\gangstajosh55\AppData\Local\Xenocode
2009-10-04 18:45 . 2009-10-04 18:56 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\TeamViewer
2009-10-04 18:45 . 2009-10-04 18:45 -------- d-----w- c:\program files\TeamViewer
2009-10-04 18:45 . 2009-10-04 18:45 -------- d-----w- c:\users\gangstajosh55\temp
2009-10-03 12:29 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 18:46 . 2009-09-30 18:46 -------- d-----w- c:\program files\Microsoft
2009-09-30 03:33 . 2009-09-30 03:35 -------- d-----w- c:\program files\Windows Live(61)
2009-09-27 02:52 . 2009-09-27 02:52 -------- d-----w- c:\users\gangstajosh55\AppData\Local\assembly
2009-09-27 02:52 . 2009-09-27 03:17 -------- d-----w- c:\program files\NCSoft
2009-09-26 16:05 . 2009-09-26 16:05 -------- d-----w- c:\windows\system32\ca-ES
2009-09-26 16:05 . 2009-09-26 16:05 -------- d-----w- c:\windows\system32\eu-ES
2009-09-26 16:05 . 2009-09-26 16:05 -------- d-----w- c:\windows\system32\vi-VN
2009-09-26 15:59 . 2009-09-26 15:59 -------- d-----w- C:\92eed1b31a8712a806d362
2009-09-26 15:45 . 2009-09-26 15:45 -------- d-----w- c:\windows\system32\EventProviders
2009-09-24 11:26 . 2009-04-11 06:33 926184 ----a-w- c:\windows\system32\winresume.exe
2009-09-24 11:25 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2009-09-24 11:25 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-09-24 11:25 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-09-24 11:25 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-09-23 13:44 . 2009-09-23 14:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 13:44 . 2009-09-23 14:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 11:23 . 2009-04-16 02:30 95795 ----a-w- c:\programdata\nvModes.dat
2009-10-18 07:12 . 2007-07-13 19:57 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-18 01:30 . 2008-10-04 20:29 99824 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-17 22:44 . 2007-12-28 23:55 -------- d-----w- c:\program files\Advanced Registry Fix
2009-10-16 18:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 16:52 . 2007-08-31 21:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-16 11:15 . 2008-09-23 23:06 -------- d-----w- c:\programdata\Microsoft Help
2009-10-16 02:41 . 2009-07-25 13:27 -------- d-----w- c:\program files\Pando Networks
2009-10-16 02:41 . 2008-10-06 01:15 -------- d-----w- c:\program files\Winamp
2009-10-16 02:40 . 2009-05-07 03:50 -------- d-----w- c:\program files\QuickFreedom
2009-10-16 02:40 . 2009-04-03 01:24 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-10-16 02:22 . 2009-08-17 04:37 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-10-15 04:57 . 2008-08-30 03:49 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\Skype
2009-10-15 04:44 . 2008-08-30 03:52 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\skypePM
2009-10-13 07:07 . 2008-04-13 22:41 -------- d-----w- c:\program files\Steam
2009-10-13 07:04 . 2008-04-13 22:41 -------- d-----w- c:\program files\Common Files\Steam
2009-10-13 06:52 . 2008-05-18 03:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-13 06:30 . 2009-09-05 05:11 -------- d-----w- c:\programdata\Lavasoft
2009-10-13 06:10 . 2009-01-11 20:00 -------- d-----w- c:\program files\AVG
2009-10-13 04:50 . 2008-10-12 02:07 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\mIRC
2009-10-13 04:22 . 2007-09-04 06:36 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\LimeWire
2009-10-13 03:30 . 2009-06-30 21:49 -------- d-----w- c:\program files\Cheat Engine
2009-10-07 04:39 . 2007-07-13 20:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-30 18:46 . 2008-02-23 19:13 -------- d-----w- c:\program files\Windows Live
2009-09-30 03:40 . 2007-12-16 09:26 -------- d-----w- c:\program files\Windows Live Toolbar
2009-09-30 03:40 . 2009-04-29 02:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-27 02:51 . 2009-04-12 04:18 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\GetRightToGo
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-26 16:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-09 07:20 . 2008-03-12 03:01 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 06:25 . 2009-09-06 06:25 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\vlc
2009-09-06 06:24 . 2008-04-11 01:24 -------- d-----w- c:\program files\VideoLAN
2009-09-05 20:06 . 2009-09-05 20:06 16197632 ----a-w- c:\windows\system32\imageres.dll
2009-09-05 10:44 . 2008-06-19 05:56 -------- d-----w- c:\program files\Stardock
2009-09-05 10:35 . 2009-09-05 10:35 -------- d--h--w- c:\programdata\{F0297D39-7A45-442F-AFF5-271488E85934}
2009-09-05 06:29 . 2009-09-05 05:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-05 05:03 . 2009-09-05 05:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-05 05:02 . 2009-09-05 05:02 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\SUPERAntiSpyware.com
2009-09-01 10:03 . 2009-09-01 09:59 -------- d-----w- c:\program files\LimeWire
2009-09-01 09:58 . 2009-04-24 02:54 -------- d-----w- c:\users\gangstajosh55\AppData\Roaming\FrostWire
2009-08-29 00:27 . 2009-09-02 21:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 21:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 20:27 . 2009-07-04 05:04 -------- d-----w- c:\program files\ooVoo
2009-08-27 05:22 . 2009-10-16 16:57 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-16 16:57 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-16 16:57 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-16 16:57 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 03:23 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 03:23 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 03:23 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 03:23 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 03:23 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 03:23 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 03:23 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 03:23 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 03:23 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 03:23 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 03:23 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 23:51 . 2009-08-07 23:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 23:51 . 2009-08-07 23:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2007-05-03 20:29 . 2007-05-03 20:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 23:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 23:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-05 1994480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-03-28 49168]
"Turbo Gear Help"="c:\program files\ASUS\Turbo Gear\GearHelp.exe" [2007-05-18 617984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 92704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-06-20 4493312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 23:46 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):98,50,5d,05,c4,3e,ca,01

R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [9/23/2009 9:44 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [9/23/2009 9:44 AM 59664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2009 3:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2009 3:22 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/16/2009 2:36 PM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/17/2009 4:05 PM 1153368]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [9/30/2009 3:10 AM 185640]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [10/11/2009 5:06 PM 603904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/19/2007 10:22 PM 24652]
R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\System32\drivers\USBGENE.sys [7/13/2007 1:25 PM 124032]
R3 FStarForce;FStarForce;c:\windows\System32\drivers\FStarForce.sys [7/2/2009 3:26 AM 9216]
R3 itecir;ITECIR Infrared Receiver;c:\windows\System32\drivers\itecir.sys [7/13/2007 1:26 PM 47616]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\System32\drivers\libusb0.sys [2/23/2009 3:18 PM 28672]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2009 3:22 PM 7408]
R3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [9/23/2009 9:44 AM 33552]
S2 MySQL4;MySQL4;"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 4.1\my.ini" MySQL4 --> c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt [?]
S3 CEDRIVER53;CEDRIVER53;c:\program files\Cheat Engine\dbk32.sys [6/30/2009 5:49 PM 36096]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\System32\drivers\Lachesis.sys [2/13/2009 8:04 PM 12032]
S4 root;root;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" root --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 20:28]

2009-10-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
.
------- Supplementary Scan -------
.
DPF: Justin.tv Publisher - hxxp://www.justin.tv/plugins/justintv_publisher.CAB
FF - ProfilePath - c:\users\gangstajosh55\AppData\Roaming\Mozilla\Firefox\Profiles\bkmbhybb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----


.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 14:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MySQL4]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL4"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\root]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" root"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4089802474-2605061407-2767271338-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:e5,25,d3,d7,d9,cb,65,62,42,16,e8,21,f6,21,48,06,6a,3c,36,55,6e,6b,d2,
1e,a7,13,cf,1a,d6,bb,4f,46,b9,54,bd,53,87,39,e8,9b,53,f9,0f,3e,3f,9d,65,5b,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-4089802474-2605061407-2767271338-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:c7,16,8b,e5,ee,ab,bf,0b,70,b9,fd,d5,4e,46,fe,b2,5c,84,45,d2,9f,
40,32,d4,a9,dd,a8,20,1f,7a,d8,d1,52,0e,90,79,0d,53,e0,52,e9,b2,c7,a0,12,ef,\
"rkeysecu"=hex:de,b6,88,f1,4a,ef,9e,a7,7b,a7,e0,ef,c4,ac,6c,b4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-10-22 14:40
ComboFix-quarantined-files.txt 2009-10-22 18:40

Pre-Run: 87,194,001,408 bytes free
Post-Run: 96,037,101,568 bytes free

- - End Of File - - 9AA4D0F5EFF99C9EFA486B5968E61651
Top
Post Reply

Return to “Network Security”