Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Extreme Malware. Format doesnt help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Extreme Malware. Format doesnt help.

Unread postby logikz » August 28th, 2009, 2:37 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:09 AM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Sandboxie\SbieSvc.exeLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:09 AM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asdfds/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sdafsdaf:80
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QRK - Unknown owner - C:\DOCUME~1\FryPan\LOCALS~1\Temp\QRK.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 4125 bytes


------------------------

I installed sandboxie because i saw sandbox.sys hooked in all my SSDT entries. Ive been dealing with this for a while. Formatting doesnt help.

Also everytime i shut down my background changes to the default one. Also, when i reformat my default icon for the start menu changes. Computer starts up on its own and shuts off randomly..

ComboFix 09-08-30.01 - FryPan 08/30/2009 22:24.4.1 - NTFSx86
Running from: c:\documents and settings\FryPan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Installer\451f5.msi
c:\windows\Installer\451f6.msp
c:\windows\Installer\451f7.msp
c:\windows\Installer\451f8.msp
c:\windows\Installer\451f9.msp
c:\windows\Installer\451fa.msp
c:\windows\Installer\451fb.msp
c:\windows\Installer\451fc.msp
c:\windows\Installer\451fd.msp
c:\windows\Installer\451fe.msp
c:\windows\Installer\4f8c132.msi
c:\windows\Installer\4f8c133.msp
c:\windows\Installer\4f8c134.msp
c:\windows\Installer\4f8c135.msp
c:\windows\Installer\4f8c136.msp
c:\windows\Installer\4f8c137.msp
c:\windows\Installer\4f8c138.msp
c:\windows\Installer\4f8c139.msp
c:\windows\Installer\4f8c13a.msp
c:\windows\Installer\4f8c13b.msp
c:\windows\Installer\4f8c1df.msi
c:\windows\Installer\4f8c1e0.msp
c:\windows\Installer\4f8c1e1.msp
c:\windows\Installer\4f8c1e2.msp
c:\windows\Installer\4f8c1e3.msp
c:\windows\Installer\4f8c1e4.msp
c:\windows\Installer\4f8c1e5.msp
c:\windows\Installer\4f8c1e6.msp
c:\windows\Installer\4f8c1e7.msp
c:\windows\Installer\4f8c1e8.msp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\ss.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\csrss.exe
D:\explorer.exe
D:\lsass.exe
D:\services.exe
D:\smss.exe
D:\winlogon.exe
D:\wupdmgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 03:11 . 2009-08-31 03:11 -------- d-----w- c:\program files\Support Tools
2009-08-31 02:55 . 2009-08-31 02:55 -------- d-----w- c:\program files\WinDirStat
2009-08-31 02:55 . 2009-08-31 02:56 -------- d-----w- c:\program files\SysOrb Server
2009-08-31 02:47 . 2009-08-31 02:47 -------- d-----w- c:\program files\Certero
2009-08-31 02:38 . 2009-08-31 02:38 -------- d-----w- C:\removeit
2009-08-30 10:05 . 2009-08-30 10:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-08-30 09:49 . 2009-08-30 09:49 -------- d-----w- c:\program files\Rpm
2009-08-30 09:16 . 2009-08-30 09:16 18272416 ----a-w- c:\documents and settings\All Users\Application Data\Appupdater\wireshark-win32-1.2.0.exe
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\JRE
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\OpenOffice.org 3
2009-08-30 09:06 . 2009-08-30 09:10 155255392 ----a-w- c:\documents and settings\All Users\Application Data\Appupdater\OOo_3.1.0_Win32Intel_install_wJRE_en-US.exe
2009-08-30 09:06 . 2009-08-30 09:30 1925024 ----a-w- c:\documents and settings\All Users\Application Data\Appupdater\install_flash_player.exe
2009-08-30 09:06 . 2009-08-30 09:06 939956 ----a-w- c:\documents and settings\All Users\Application Data\Appupdater\7z465.exe
2009-08-30 09:04 . 2009-08-30 09:04 -------- d-----w- c:\windows\quarantined
2009-08-30 09:04 . 2009-08-30 09:04 -------- d-----w- c:\program files\utils
2009-08-30 09:01 . 2009-08-30 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Appupdater
2009-08-30 09:01 . 2009-08-30 09:01 -------- d-----w- c:\documents and settings\FryPan\Application Data\gnupg
2009-08-30 09:00 . 2009-08-30 09:00 -------- d-----w- c:\documents and settings\All Users\Appupdater
2009-08-30 09:00 . 2009-08-31 02:49 -------- d-----w- c:\program files\GNU
2009-08-30 08:46 . 2009-08-30 08:46 -------- d-----w- c:\program files\Technology Pathways
2009-08-30 08:37 . 2009-08-30 08:44 -------- d-----w- c:\documents and settings\FryPan\Application Data\VMware
2009-08-30 08:29 . 2008-10-30 22:59 9600 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-08-30 08:29 . 2008-10-30 22:59 5120 ----a-r- c:\windows\system32\vnetinst.dll
2009-08-30 08:29 . 2009-08-30 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-08-30 08:28 . 2008-10-30 22:59 10240 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-08-30 08:20 . 2009-08-30 08:38 -------- d-----w- C:\Virtual Machines
2009-08-30 08:15 . 2009-08-30 08:37 -------- d-----w- C:\cygwin
2009-08-30 04:47 . 2009-08-30 04:47 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\wj32
2009-08-30 04:38 . 2009-08-30 04:38 -------- d-----w- c:\program files\Process Hacker
2009-08-30 04:25 . 2009-08-30 04:28 -------- d-----w- C:\Lop SD
2009-08-28 07:05 . 2009-08-28 07:05 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Runscanner.net
2009-08-28 06:42 . 2009-08-28 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-28 06:11 . 2009-08-28 06:11 -------- d-----w- c:\program files\ESET
2009-08-28 05:57 . 2009-08-30 04:47 -------- d-----w- c:\program files\Deep System Explorer
2009-08-28 05:23 . 2009-08-28 05:23 -------- d-----w- C:\Sandbox
2009-08-28 05:22 . 2009-08-28 05:22 -------- d-----w- c:\program files\Sandboxie
2009-08-28 05:16 . 2009-08-28 05:16 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Help
2009-08-25 04:08 . 2009-08-25 04:08 8 ----a-w- c:\windows\system32\nvModes.dat
2009-08-25 00:10 . 2009-08-25 00:39 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Deployment
2009-08-21 15:18 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-08-21 15:07 . 2009-08-31 03:32 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-21 14:51 . 2009-08-21 14:51 -------- d-----w- c:\documents and settings\FryPan\Application Data\DNTU
2009-08-21 14:49 . 2009-08-21 14:51 -------- d-----w- c:\documents and settings\FryPan\Application Data\DameWare Development
2009-08-21 14:33 . 2009-08-21 14:33 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Sophos
2009-08-21 14:22 . 2009-08-21 14:23 -------- dc-h--w- c:\windows\ie8
2009-08-21 13:47 . 2009-08-21 13:47 -------- d-----w- c:\program files\FrostWire
2009-08-21 13:17 . 2009-08-21 13:17 -------- d-----w- c:\documents and settings\FryPan\Application Data\SystemTools
2009-08-21 12:55 . 2009-08-21 12:55 152576 ----a-w- c:\documents and settings\FryPan\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-21 12:42 . 2009-08-21 12:42 70144 ----a-r- c:\documents and settings\FryPan\Application Data\Microsoft\Installer\{52D862F9-F281-41B5-8806-58D4ABB8159E}\IconA2E65BCA.exe
2009-08-21 12:42 . 2009-08-21 12:42 39936 ----a-r- c:\documents and settings\FryPan\Application Data\Microsoft\Installer\{52D862F9-F281-41B5-8806-58D4ABB8159E}\Icon1DEF20221.exe
2009-08-21 12:42 . 2009-08-21 12:42 -------- d-----w- c:\program files\DameWare Development
2009-08-21 12:11 . 2009-08-31 02:49 -------- d-----w- c:\documents and settings\FryPan\Application Data\eMule
2009-08-21 12:11 . 2009-08-21 12:11 -------- d-----w- c:\program files\eMule
2009-08-21 11:54 . 2009-08-23 09:54 15 ----a-w- c:\documents and settings\FryPan\settings.dat
2009-08-21 11:41 . 2009-08-21 11:41 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Identities
2009-08-21 11:34 . 2009-01-20 17:52 31928 ----a-w- c:\windows\system32\rrMon.sys
2009-08-21 11:34 . 2009-08-21 11:34 -------- d-----w- c:\program files\Registrar Registry Manager
2009-08-21 11:33 . 2009-08-21 11:33 -------- d-----w- c:\program files\SanityCheck
2009-08-21 11:33 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-08-21 11:27 . 2009-08-21 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-08-21 11:27 . 2009-08-21 11:27 -------- d-----w- C:\stdtsa
2009-08-12 00:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:38 . 2009-08-10 20:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:49 . 2009-08-04 20:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-04 20:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-04 20:38 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-04 20:38 . 2009-08-04 20:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-04 20:37 . 2009-08-04 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 20:37 . 2009-08-04 20:37 -------- d-----w- c:\program files\Lavasoft
2009-08-04 16:25 . 2005-08-30 20:19 1052672 ----a-w- c:\documents and settings\FryPan\Application Data\Macromedia\Dreamweaver 8\Configuration\Flash Player\FlashPlayerW.dll
2009-08-04 16:18 . 2009-08-04 16:37 -------- d-----w- c:\program files\Common Files\Macromedia
2009-08-04 16:18 . 2009-08-04 16:37 -------- d-----w- c:\program files\Macromedia
2009-08-04 16:18 . 2009-08-30 08:45 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 03:23 . 2008-09-18 22:44 -------- d-----w- c:\documents and settings\FryPan\Application Data\uTorrent
2009-08-31 02:56 . 2008-09-05 11:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 10:15 . 2009-06-05 16:34 -------- d-----w- c:\documents and settings\FryPan\Application Data\FrostWire
2009-08-30 10:05 . 2008-09-19 04:54 -------- d-----w- c:\program files\7-Zip
2009-08-30 09:19 . 2008-09-05 12:06 19352 ----a-w- c:\documents and settings\FryPan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 09:14 . 2008-09-05 13:21 -------- d-----w- c:\program files\OpenOffice.org 2.3
2009-08-30 09:11 . 2008-09-05 13:20 -------- d-----w- c:\program files\Java
2009-08-30 04:54 . 2009-05-15 01:42 -------- d-----w- c:\program files\stea
2009-08-28 07:55 . 2008-09-05 13:55 -------- d-----w- c:\program files\Trillian
2009-08-28 05:16 . 2009-08-28 05:15 -------- d-----w- c:\program files\Security Task Manager
2009-08-28 05:16 . 2009-08-28 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-25 04:12 . 2008-09-05 13:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-25 01:03 . 2008-12-24 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 01:03 . 2009-01-07 08:16 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-21 14:48 . 2008-10-24 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 14:19 . 2008-09-06 07:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-21 12:55 . 2009-06-05 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-21 10:51 . 2008-09-05 12:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:31 . 2008-09-05 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-03 18:36 . 2008-12-24 20:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-12-24 20:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 04:13 . 2009-07-26 04:13 -------- d-----w- c:\program files\Realtek AC97
2009-07-26 04:01 . 2009-06-06 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-07-25 16:46 . 2009-06-06 07:05 -------- d-----w- c:\program files\NVIDIA Corporation
2009-07-25 16:46 . 2009-07-25 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-07-25 10:23 . 2009-01-07 21:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-07-26 03:58 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2009-07-26 03:58 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-07-26 03:58 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-07-26 03:58 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-07-26 03:58 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:35 . 2009-07-14 18:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 12:01 . 2009-07-26 03:58 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 04:59 . 2009-06-17 04:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-09-05 11:36 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 04:16 . 2009-06-06 04:16 290816 ----a-w- c:\documents and settings\FryPan\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-06-06 04:16 . 2009-06-06 04:16 290816 ----a-w- c:\documents and settings\FryPan\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-06 04:16 . 2009-06-06 04:16 290816 ----a-w- c:\documents and settings\FryPan\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-06-06 04:16 . 2009-06-06 04:16 290816 ----a-w- c:\documents and settings\FryPan\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-06-05 16:37 . 2009-06-05 16:37 0 ----a-w- c:\documents and settings\FryPan\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-05-28 380416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-07-07 1158472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-03 577536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"SharedAccess"=2 (0x2)
"UPS"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"xmlprov"=3 (0x3)
"Netlogon"=3 (0x3)
"SwPrv"=3 (0x3)
"HTTPFilter"=3 (0x3)
"ERSvc"=2 (0x2)
"MSDTC"=3 (0x3)
"aspnet_state"=3 (0x3)
"Dot3svc"=3 (0x3)
"rpcapd"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/4/2009 3:38 PM 64160]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [9/5/2008 6:53 AM 13696]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [5/18/2009 6:38 AM 672928]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [5/18/2009 6:37 AM 1238344]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/11/2009 1:57 PM 10384]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [5/18/2009 6:37 AM 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [5/18/2009 6:38 AM 234640]
R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [5/18/2009 6:38 AM 33408]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [5/28/2009 8:32 AM 108032]
S3 CMC AntiRootkit Service;CMC AntiRootkit Servic;c:\windows\system32\drivers\cmcantirootkit.sys --> c:\windows\system32\drivers\cmcantirootkit.sys [?]
S3 ffs;ffs;c:\documents and settings\FryPan\My Documents\Downloads\ffsdrv-0.5.1-winxp\ffs.sys [4/21/2007 9:15 PM 61312]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 QRK;QRK;c:\docume~1\FryPan\LOCALS~1\Temp\QRK.exe --> c:\docume~1\FryPan\LOCALS~1\Temp\QRK.exe [?]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [8/21/2009 6:33 AM 30136]
S3 VJHHXO;VJHHXO;c:\docume~1\FryPan\LOCALS~1\Temp\VJHHXO.exe --> c:\docume~1\FryPan\LOCALS~1\Temp\VJHHXO.exe [?]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2/27/2009 5:03 AM 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = sdafsdaf:80
FF - ProfilePath - c:\documents and settings\FryPan\Application Data\Mozilla\Firefox\Profiles\dfpjagct.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\msdtc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exep
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-31 22:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 03:37

Pre-Run: 45,643,243,520 bytes free
Post-Run: 45,852,803,072 bytes free

378 --- E O F --- 2009-08-21 15:23

2009-08-31 03:27:57 . 2009-08-31 03:27:57 2,418 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2009-08-31 03:27:57 . 2009-08-31 03:27:57 1,326 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2009-08-31 03:27:46 . 2009-09-01 01:35:39 6,537 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-31 03:22:57 . 2009-09-01 01:31:52 235 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-08-04 20:38:06 . 2009-08-04 20:38:06 90 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat.vir
2009-08-04 20:38:06 . 2009-08-04 20:38:20 494 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat.vir
2009-08-04 20:38:06 . 2009-08-04 20:38:06 9 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan.vir
2009-08-04 20:38:06 . 2009-08-04 20:38:06 4,509 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par.vir
2009-08-04 20:38:06 . 2009-07-08 17:28:46 578,782 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib.vir
2009-08-04 20:38:06 . 2009-07-08 17:28:50 14,540,833 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res.vir
2009-08-04 20:38:05 . 2009-07-08 17:28:44 1,860,608 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi.vir
2009-08-04 20:38:05 . 2009-07-08 17:28:49 2,920,112 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe.vir
2009-02-13 20:07:52 . 2009-02-13 20:07:52 88,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1df.msi.vir
2008-07-29 23:45:28 . 2008-07-29 23:45:28 2,543,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451f6.msp.vir
2008-07-29 23:45:28 . 2008-07-29 23:45:28 2,543,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c133.msp.vir
2008-07-29 23:45:28 . 2008-07-29 23:45:28 2,543,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e8.msp.vir
2008-07-29 23:43:22 . 2008-07-29 23:43:22 1,013,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451fb.msp.vir
2008-07-29 23:43:22 . 2008-07-29 23:43:22 1,013,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c138.msp.vir
2008-07-29 23:43:22 . 2008-07-29 23:43:22 1,013,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e3.msp.vir
2008-07-29 23:41:16 . 2008-07-29 23:41:16 6,487,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451f8.msp.vir
2008-07-29 23:41:16 . 2008-07-29 23:41:16 6,487,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c135.msp.vir
2008-07-29 23:41:16 . 2008-07-29 23:41:16 6,487,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e6.msp.vir
2008-07-29 23:39:14 . 2008-07-29 23:39:14 3,403,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451f9.msp.vir
2008-07-29 23:39:14 . 2008-07-29 23:39:14 3,403,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c136.msp.vir
2008-07-29 23:39:14 . 2008-07-29 23:39:14 3,403,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e5.msp.vir
2008-07-29 23:37:12 . 2008-07-29 23:37:12 911,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451fd.msp.vir
2008-07-29 23:37:12 . 2008-07-29 23:37:12 911,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c13a.msp.vir
2008-07-29 23:37:12 . 2008-07-29 23:37:12 911,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e1.msp.vir
2008-07-29 23:35:10 . 2008-07-29 23:35:10 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451fa.msp.vir
2008-07-29 23:35:10 . 2008-07-29 23:35:10 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c137.msp.vir
2008-07-29 23:35:10 . 2008-07-29 23:35:10 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e4.msp.vir
2008-07-29 23:33:08 . 2008-07-29 23:33:08 506,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451fc.msp.vir
2008-07-29 23:33:08 . 2008-07-29 23:33:08 506,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c139.msp.vir
2008-07-29 23:33:08 . 2008-07-29 23:33:08 506,368 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e2.msp.vir
2008-07-29 23:31:06 . 2008-07-29 23:31:06 6,083,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451fe.msp.vir
2008-07-29 23:31:06 . 2008-07-29 23:31:06 6,083,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c13b.msp.vir
2008-07-29 23:31:06 . 2008-07-29 23:31:06 6,083,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e0.msp.vir
2008-07-29 23:29:04 . 2008-07-29 23:29:04 2,926,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451f7.msp.vir
2008-07-29 23:29:04 . 2008-07-29 23:29:04 2,926,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c134.msp.vir
2008-07-29 23:29:04 . 2008-07-29 23:29:04 2,926,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c1e7.msp.vir
2008-07-29 23:27:32 . 2008-07-29 23:27:32 93,184 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\451f5.msi.vir
2008-07-29 23:27:32 . 2008-07-29 23:27:32 93,184 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\4f8c132.msi.vir
2007-11-06 20:23:18 . 2007-11-06 20:23:18 240,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2007-11-06 20:22:30 . 2007-11-06 20:22:30 68,224 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir
2007-11-06 20:22:26 . 2007-11-06 20:22:26 92,792 ----a-w- C:\Qoobox\Quarantine\C\Program Files\WinPcap\rpcapd.exe.vir
2007-11-06 20:22:20 . 2007-11-06 20:22:20 88,696 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir
2007-11-06 20:22:06 . 2007-11-06 20:22:06 34,064 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2007-11-06 20:19:28 . 2007-11-06 20:19:28 53,299 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2004-08-04 12:00:00 . 2008-04-14 00:12:34 31,232 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ss.exe.vir
Last edited by logikz on August 31st, 2009, 9:46 pm, edited 1 time in total.
logikz
Active Member
 
Posts: 5
Joined: August 28th, 2009, 2:35 am
Advertisement
Register to Remove

Re: Extreme Malware. Format doesnt help.

Unread postby MWR 3 day Mod » August 31st, 2009, 10:53 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Extreme Malware. Format doesnt help.

Unread postby turtledove » September 2nd, 2009, 4:41 pm

Hello logikz and welcome to the forums :)

I am turtledove, and will be assisting you with your log.
If you still need assistance, please do the following:

*Print all instructions or Copy to Notepad for reference.
*Please note, unless I'm notified ahead of time, this topic will close if there is not a response in 3 Days.
*Place a link to this thread in your Favorites/Bookmarks for easily returning here.
*Please respond until I give the all clear, as absence of symptoms does NOT always mean Clean.
*Please do not run any other tools/scans unless requested*
**Please be sure you have read the Notice about Peer to Peer File Sharing Programs at the top of this forum**
Link: viewtopic.php?f=11&t=33112
*If you can do the above all should go well.

**As I am an Undergrad, my responses will be approved by an Expert/Teacher before I post to you; therefore it may take a tad bit more time to reply.
Thanks for your patience.


Since it has been some time since your above post, please post the following logs. I will go over the new logs and return as soon as possible.

Step 1
Please make an Uninstall list :
To access the Uninstall Manager, please do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.

Step 2
Rerun HijackThis and Save the log.

Post the New HijackThis and the Uninstall list using the Reply button.

Thank you
turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Extreme Malware. Format doesnt help.

Unread postby logikz » September 2nd, 2009, 4:50 pm

7-Zip 4.65
Acrobat.com
Actiontec Gateway
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Agnitum Outpost Firewall Pro
ASTRA32 - Advanced System Information Tool 2.02
Belarc Advisor 8.1
Captain Nemo Pro
CCleaner (remove only)
CDDRV_Installer
Certero PCAuditor 1.0.0.2
Counter-Strike
Counter-Strike: Source
DAEMON Tools Toolbar
DameWare NT Utilities
Deep System Explorer 1.0.406 Beta
DivX Codec
DVD Shrink 3.2
Dystopia
ERUNT 1.1j
ESET Online Scanner v3
FFXI App
FINAL FANTASY XI
FrostWire 4.18.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Insurgency
Java(TM) 6 Update 13
Java(TM) 6 Update 15
KhalInstallWrapper
Lexmark Z700-P700 Series
Logitech SetPoint
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Script 5.7
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 8
neroxml
NetTools 5.0
Nmap 4.76
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA Performance
NVIDIA Performance
NVIDIA PhysX
NVIDIA System Monitor
NVIDIA System Monitor
NVIDIA System Update
NVIDIA System Update
OpenOffice.org 3.1
PlayOnline Viewer and Tetra Master
Process Hacker 1.5
ProDiscover Basic 5.5
Realtek AC'97 Audio
Registrar Registry Manager 6.02
RPM Library for Win32
Sandboxie 3.38
SanityCheck 1.02
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB972260)
Spybot - Search & Destroy
Steam
System Requirements Lab
Trillian
TrueCrypt
TuneUp Utilities 2009
Ultima Online: The Second Age
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
VCRedistSetup
Ventrilo Client
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Support Tools
Windows XP Service Pack 3
Wireshark 1.0.3
Xvid 1.1.3 final uninstall

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:45 PM, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\stea\Steam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\FryPan\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sdafsdaf:80
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 3448 bytes
logikz
Active Member
 
Posts: 5
Joined: August 28th, 2009, 2:35 am

Re: Extreme Malware. Format doesnt help.

Unread postby logikz » September 3rd, 2009, 3:23 am

ComboFix 09-09-02.02 - FryPan 09/03/2009 1:18.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.707 [GMT -5:00]
Running from: c:\documents and settings\FryPan\My Documents\Downloads\ComboFix.exe
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 05:38 . 2009-09-03 05:38 -------- d-----w- c:\program files\dsak
2009-09-03 05:08 . 2009-09-03 05:09 -------- d-----w- C:\rsit
2009-09-03 05:02 . 2009-09-03 05:02 185344 ----a-w- c:\windows\system32\drivers\KeDetective130.sys
2009-09-03 04:16 . 2009-09-03 04:17 -------- d-----w- c:\program files\Driver Sweeper
2009-09-03 04:13 . 2009-09-03 04:13 -------- d-----w- C:\RootkitNO
2009-09-03 04:03 . 2009-09-03 04:03 2 --shatr- c:\windows\winstart.bat
2009-09-03 04:02 . 2009-09-03 04:02 -------- d-----w- c:\program files\Greatis
2009-09-03 03:40 . 2009-09-03 03:40 -------- d-----w- C:\ERDNT
2009-09-03 03:40 . 2009-09-03 03:40 -------- d-----w- C:\!FixIEDef
2009-09-01 03:04 . 2009-09-01 03:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-01 03:04 . 2009-09-01 03:04 -------- d-----w- c:\program files\Lavasoft
2009-09-01 02:29 . 2009-09-03 05:35 -------- d-----w- c:\program files\ERUNT
2009-08-31 09:56 . 2009-08-31 09:56 -------- d-----w- c:\documents and settings\FryPan\Application Data\OpenOffice.org
2009-08-31 09:35 . 2009-08-31 09:35 -------- d-----w- c:\windows\images
2009-08-31 09:35 . 2009-08-31 09:35 -------- d-----w- c:\windows\docs
2009-08-31 03:56 . 2009-08-31 03:59 -------- d-----w- c:\windows\system32\NtmsData
2009-08-31 03:53 . 2009-08-31 03:53 -------- d-----w- C:\VundoFix Backups
2009-08-31 03:11 . 2009-08-31 09:26 -------- d-----w- c:\program files\Support Tools
2009-08-31 02:55 . 2009-08-31 02:55 -------- d-----w- c:\program files\WinDirStat
2009-08-31 02:55 . 2009-08-31 02:56 -------- d-----w- c:\program files\SysOrb Server
2009-08-31 02:47 . 2009-08-31 02:47 -------- d-----w- c:\program files\Certero
2009-08-31 02:38 . 2009-09-03 04:07 -------- d-----w- C:\removeit
2009-08-30 10:06 . 2009-08-30 10:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\VMware
2009-08-30 10:05 . 2009-08-30 10:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-08-30 09:49 . 2009-08-30 09:49 -------- d-----w- c:\program files\Rpm
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\JRE
2009-08-30 09:15 . 2009-08-30 09:15 -------- d-----w- c:\program files\OpenOffice.org 3
2009-08-30 09:04 . 2009-08-31 09:35 -------- d-----w- c:\windows\quarantined
2009-08-30 09:04 . 2009-08-30 09:04 -------- d-----w- c:\program files\utils
2009-08-30 09:01 . 2009-08-30 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Appupdater
2009-08-30 09:01 . 2009-08-30 09:01 -------- d-----w- c:\documents and settings\FryPan\Application Data\gnupg
2009-08-30 09:00 . 2009-08-30 09:00 -------- d-----w- c:\documents and settings\All Users\Appupdater
2009-08-30 09:00 . 2009-08-31 02:49 -------- d-----w- c:\program files\GNU
2009-08-30 08:46 . 2009-08-30 08:46 -------- d-----w- c:\program files\Technology Pathways
2009-08-30 08:37 . 2009-08-30 08:44 -------- d-----w- c:\documents and settings\FryPan\Application Data\VMware
2009-08-30 08:29 . 2008-10-30 22:59 9600 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-08-30 08:29 . 2008-10-30 22:59 5120 ----a-r- c:\windows\system32\vnetinst.dll
2009-08-30 08:29 . 2009-08-30 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-08-30 08:28 . 2008-10-30 22:59 10240 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-08-30 08:20 . 2009-08-30 08:38 -------- d-----w- C:\Virtual Machines
2009-08-30 08:15 . 2009-08-30 08:37 -------- d-----w- C:\cygwin
2009-08-30 04:47 . 2009-08-30 04:47 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\wj32
2009-08-30 04:38 . 2009-08-30 04:38 -------- d-----w- c:\program files\Process Hacker
2009-08-30 04:25 . 2009-09-03 05:38 -------- d-----w- C:\Lop SD
2009-08-28 07:05 . 2009-09-03 05:44 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Runscanner.net
2009-08-28 06:42 . 2009-08-28 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-28 06:11 . 2009-08-28 06:11 -------- d-----w- c:\program files\ESET
2009-08-28 05:57 . 2009-09-03 06:17 -------- d-----w- c:\program files\Deep System Explorer
2009-08-28 05:23 . 2009-08-28 05:23 -------- d-----w- C:\Sandbox
2009-08-28 05:22 . 2009-08-28 05:22 -------- d-----w- c:\program files\Sandboxie
2009-08-28 05:16 . 2009-08-28 05:16 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Help
2009-08-28 05:15 . 2009-08-31 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-25 04:08 . 2009-08-25 04:08 8 ----a-w- c:\windows\system32\nvModes.dat
2009-08-25 00:10 . 2009-08-25 00:39 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Deployment
2009-08-21 15:18 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-08-21 15:07 . 2009-09-03 06:18 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-21 14:51 . 2009-08-21 14:51 -------- d-----w- c:\documents and settings\FryPan\Application Data\DNTU
2009-08-21 14:49 . 2009-08-21 14:51 -------- d-----w- c:\documents and settings\FryPan\Application Data\DameWare Development
2009-08-21 14:33 . 2009-08-21 14:33 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Sophos
2009-08-21 14:22 . 2009-08-21 14:23 -------- dc-h--w- c:\windows\ie8
2009-08-21 13:47 . 2009-08-21 13:47 -------- d-----w- c:\program files\FrostWire
2009-08-21 13:17 . 2009-08-21 13:17 -------- d-----w- c:\documents and settings\FryPan\Application Data\SystemTools
2009-08-21 12:42 . 2009-08-21 12:42 -------- d-----w- c:\program files\DameWare Development
2009-08-21 12:11 . 2009-08-31 02:49 -------- d-----w- c:\documents and settings\FryPan\Application Data\eMule
2009-08-21 12:11 . 2009-08-21 12:11 -------- d-----w- c:\program files\eMule
2009-08-21 11:54 . 2009-08-23 09:54 15 ----a-w- c:\documents and settings\FryPan\settings.dat
2009-08-21 11:41 . 2009-08-21 11:41 -------- d-----w- c:\documents and settings\FryPan\Local Settings\Application Data\Identities
2009-08-21 11:34 . 2009-01-20 17:52 31928 ----a-w- c:\windows\system32\rrMon.sys
2009-08-21 11:34 . 2009-08-21 11:34 -------- d-----w- c:\program files\Registrar Registry Manager
2009-08-21 11:33 . 2009-08-21 11:33 -------- d-----w- c:\program files\SanityCheck
2009-08-21 11:33 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2009-08-21 11:27 . 2009-08-21 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-08-21 11:27 . 2009-08-21 11:27 -------- d-----w- C:\stdtsa
2009-08-12 00:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:38 . 2009-08-10 20:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:49 . 2009-08-04 20:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-04 20:49 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-04 20:38 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-04 20:38 . 2009-08-04 20:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-04 20:37 . 2009-08-04 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 16:18 . 2009-08-04 16:37 -------- d-----w- c:\program files\Common Files\Macromedia
2009-08-04 16:18 . 2009-08-04 16:37 -------- d-----w- c:\program files\Macromedia
2009-08-04 16:18 . 2009-08-30 08:45 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 05:13 . 2009-03-11 18:54 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-01 08:03 . 2009-05-15 01:42 -------- d-----w- c:\program files\stea
2009-09-01 08:02 . 2008-09-05 13:55 -------- d-----w- c:\program files\Trillian
2009-09-01 07:41 . 2008-09-18 22:44 -------- d-----w- c:\documents and settings\FryPan\Application Data\uTorrent
2009-09-01 04:00 . 2008-09-05 12:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-01 04:00 . 2008-09-05 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-01 03:59 . 2008-09-05 13:14 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-31 09:19 . 2008-09-05 13:20 -------- d-----w- c:\program files\Java
2009-08-31 02:56 . 2008-09-05 11:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 10:15 . 2009-06-05 16:34 -------- d-----w- c:\documents and settings\FryPan\Application Data\FrostWire
2009-08-30 10:05 . 2008-09-19 04:54 -------- d-----w- c:\program files\7-Zip
2009-08-30 09:19 . 2008-09-05 12:06 19352 ----a-w- c:\documents and settings\FryPan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 09:14 . 2008-09-05 13:21 -------- d-----w- c:\program files\OpenOffice.org 2.3
2009-08-25 01:03 . 2008-12-24 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 14:48 . 2008-10-24 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 14:19 . 2008-09-06 07:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-21 12:55 . 2009-06-05 14:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2008-12-24 20:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-12-24 20:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 04:13 . 2009-07-26 04:13 -------- d-----w- c:\program files\Realtek AC97
2009-07-26 04:01 . 2009-06-06 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-07-25 16:46 . 2009-06-06 07:05 -------- d-----w- c:\program files\NVIDIA Corporation
2009-07-25 16:46 . 2009-07-25 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-07-25 10:23 . 2009-01-07 21:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 18:54 . 2009-07-26 03:58 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-14 18:54 . 2009-07-26 03:58 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-14 18:54 . 2009-07-26 03:58 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-14 18:54 . 2009-07-26 03:58 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-14 18:54 . 2009-07-26 03:58 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-07-14 18:35 . 2009-07-14 18:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 12:01 . 2009-07-26 03:58 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 04:59 . 2009-06-17 04:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-09-05 11:36 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_03.32.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 06:11 . 2009-09-03 06:11 16384 c:\windows\temp\Perflib_Perfdata_404.dat
- 2009-01-08 09:07 . 2004-08-04 04:29 63488 c:\windows\system32\drivers\atinxsxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 63488 c:\windows\system32\drivers\atinxsxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 31744 c:\windows\system32\drivers\atinxbxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 31744 c:\windows\system32\drivers\atinxbxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 73216 c:\windows\system32\drivers\atintuxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 73216 c:\windows\system32\drivers\atintuxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 13824 c:\windows\system32\drivers\atinttxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 13824 c:\windows\system32\drivers\atinttxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 28672 c:\windows\system32\drivers\atinsnxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 28672 c:\windows\system32\drivers\atinsnxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 52224 c:\windows\system32\drivers\atinraxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 52224 c:\windows\system32\drivers\atinraxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 14336 c:\windows\system32\drivers\atinpdxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 14336 c:\windows\system32\drivers\atinpdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 13824 c:\windows\system32\drivers\atinmdxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 13824 c:\windows\system32\drivers\atinmdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 57856 c:\windows\system32\drivers\atinbtxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 57856 c:\windows\system32\drivers\atinbtxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 34735 c:\windows\system32\drivers\ati1xsxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 34735 c:\windows\system32\drivers\ati1xsxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 29455 c:\windows\system32\drivers\ati1xbxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 29455 c:\windows\system32\drivers\ati1xbxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 36463 c:\windows\system32\drivers\ati1tuxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 36463 c:\windows\system32\drivers\ati1tuxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 21343 c:\windows\system32\drivers\ati1ttxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 21343 c:\windows\system32\drivers\ati1ttxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 26367 c:\windows\system32\drivers\ati1snxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 26367 c:\windows\system32\drivers\ati1snxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 63663 c:\windows\system32\drivers\ati1rvxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 63663 c:\windows\system32\drivers\ati1rvxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 30671 c:\windows\system32\drivers\ati1raxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 30671 c:\windows\system32\drivers\ati1raxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 12047 c:\windows\system32\drivers\ati1pdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 12047 c:\windows\system32\drivers\ati1pdxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 11615 c:\windows\system32\drivers\ati1mdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 11615 c:\windows\system32\drivers\ati1mdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 56623 c:\windows\system32\drivers\ati1btxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 56623 c:\windows\system32\drivers\ati1btxx.sys
+ 2009-01-08 09:07 . 2008-04-13 23:11 32768 c:\windows\system32\dllcache\ativtmxx.dll
+ 2009-01-08 09:07 . 2004-08-04 03:29 63488 c:\windows\system32\dllcache\atinxsxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 31744 c:\windows\system32\dllcache\atinxbxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 73216 c:\windows\system32\dllcache\atintuxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 13824 c:\windows\system32\dllcache\atinttxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 28672 c:\windows\system32\dllcache\atinsnxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 52224 c:\windows\system32\dllcache\atinraxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 14336 c:\windows\system32\dllcache\atinpdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 13824 c:\windows\system32\dllcache\atinmdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 57856 c:\windows\system32\dllcache\atinbtxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 34735 c:\windows\system32\dllcache\ati1xsxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 29455 c:\windows\system32\dllcache\ati1xbxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 36463 c:\windows\system32\dllcache\ati1tuxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 21343 c:\windows\system32\dllcache\ati1ttxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 26367 c:\windows\system32\dllcache\ati1snxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 63663 c:\windows\system32\dllcache\ati1rvxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 30671 c:\windows\system32\dllcache\ati1raxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 12047 c:\windows\system32\dllcache\ati1pdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 11615 c:\windows\system32\dllcache\ati1mdxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 56623 c:\windows\system32\dllcache\ati1btxx.sys
+ 2008-09-05 11:43 . 2009-09-01 03:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-05 11:43 . 2009-08-04 20:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-05 11:43 . 2009-09-01 03:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-05 11:43 . 2009-08-04 20:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-05 11:43 . 2009-08-04 20:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-05 11:43 . 2009-09-01 03:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-08 09:07 . 2008-04-14 00:11 32768 c:\windows\system32\ativtmxx.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 32768 c:\windows\system32\ativtmxx.dll
+ 2009-09-01 02:30 . 2009-09-01 02:30 8192 c:\windows\ERDNT\8-31-2009\Users\00000006\UsrClass.dat
+ 2009-09-01 02:30 . 2009-09-01 02:30 8192 c:\windows\ERDNT\8-31-2009\Users\00000002\UsrClass.dat
+ 2009-01-08 09:07 . 2004-08-04 03:29 104960 c:\windows\system32\drivers\atinrvxx.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 104960 c:\windows\system32\drivers\atinrvxx.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 701440 c:\windows\system32\drivers\ati2mtag.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 701440 c:\windows\system32\drivers\ati2mtag.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 327040 c:\windows\system32\drivers\ati2mtaa.sys
- 2009-01-08 09:07 . 2004-08-04 04:29 327040 c:\windows\system32\drivers\ati2mtaa.sys
+ 2009-01-08 09:07 . 2008-04-13 23:11 516768 c:\windows\system32\dllcache\ativvaxx.dll
+ 2009-01-08 09:07 . 2004-08-04 03:29 104960 c:\windows\system32\dllcache\atinrvxx.sys
+ 2009-01-08 09:07 . 2008-04-13 23:11 870784 c:\windows\system32\dllcache\ati3d1ag.dll
+ 2009-01-08 09:07 . 2004-08-04 03:29 701440 c:\windows\system32\dllcache\ati2mtag.sys
+ 2009-01-08 09:07 . 2004-08-04 03:29 327040 c:\windows\system32\dllcache\ati2mtaa.sys
+ 2009-01-08 09:07 . 2008-04-13 23:11 201728 c:\windows\system32\dllcache\ati2dvag.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 377984 c:\windows\system32\dllcache\ati2dvaa.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 229376 c:\windows\system32\dllcache\ati2cqag.dll
- 2009-08-04 20:49 . 2009-08-04 20:49 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-04 20:49 . 2009-09-01 03:46 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-01-08 09:07 . 2008-04-13 23:11 516768 c:\windows\system32\ativvaxx.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 516768 c:\windows\system32\ativvaxx.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 870784 c:\windows\system32\ati3d1ag.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 870784 c:\windows\system32\ati3d1ag.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 201728 c:\windows\system32\ati2dvag.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 201728 c:\windows\system32\ati2dvag.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 377984 c:\windows\system32\ati2dvaa.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 377984 c:\windows\system32\ati2dvaa.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 229376 c:\windows\system32\ati2cqag.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 229376 c:\windows\system32\ati2cqag.dll
+ 2008-12-25 03:47 . 2005-10-20 16:00 157696 c:\windows\ERUNT\ERUNT.EXE
+ 2009-09-03 05:36 . 2009-09-03 05:36 253952 c:\windows\ERDNT\9-3-2009\Users\00000002\UsrClass.dat
+ 2009-09-03 05:36 . 2005-10-20 17:02 163328 c:\windows\ERDNT\9-3-2009\ERDNT.EXE
+ 2009-09-01 02:30 . 2009-09-01 02:30 229376 c:\windows\ERDNT\8-31-2009\Users\00000005\NTUSER.DAT
+ 2009-09-01 02:30 . 2009-09-01 02:30 253952 c:\windows\ERDNT\8-31-2009\Users\00000004\UsrClass.dat
+ 2009-09-01 02:30 . 2009-09-01 02:30 225280 c:\windows\ERDNT\8-31-2009\Users\00000001\NTUSER.DAT
+ 2009-09-01 02:30 . 2005-10-20 17:02 163328 c:\windows\ERDNT\8-31-2009\ERDNT.EXE
+ 2009-01-08 09:07 . 2008-04-13 23:11 1888992 c:\windows\system32\dllcache\ati3duag.dll
- 2009-01-08 09:07 . 2008-04-14 00:11 1888992 c:\windows\system32\ati3duag.dll
+ 2009-01-08 09:07 . 2008-04-13 23:11 1888992 c:\windows\system32\ati3duag.dll
+ 2009-09-01 03:04 . 2009-09-01 03:04 1859072 c:\windows\Installer\33f647.msi
+ 2009-09-03 05:36 . 2009-09-03 05:36 6721536 c:\windows\ERDNT\9-3-2009\Users\00000001\NTUSER.DAT
+ 2009-09-01 02:30 . 2009-09-01 02:30 6721536 c:\windows\ERDNT\8-31-2009\Users\00000003\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-07-07 1158472]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"SharedAccess"=2 (0x2)
"UPS"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"xmlprov"=3 (0x3)
"Netlogon"=3 (0x3)
"SwPrv"=3 (0x3)
"HTTPFilter"=3 (0x3)
"ERSvc"=2 (0x2)
"MSDTC"=3 (0x3)
"aspnet_state"=3 (0x3)
"Dot3svc"=3 (0x3)
"rpcapd"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"SoundMan"=SOUNDMAN.EXE

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/4/2009 3:38 PM 64160]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [9/5/2008 6:53 AM 13696]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [5/18/2009 6:38 AM 672928]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/11/2009 1:57 PM 10384]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [5/18/2009 6:37 AM 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [5/18/2009 6:38 AM 234640]
R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [5/18/2009 6:38 AM 33408]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [5/28/2009 8:32 AM 108032]
R3 SSDTDrv;SSDT Viewier;c:\documents and settings\FryPan\My Documents\Downloads\SSDTViewer\SSDTDrv.sys [5/18/2006 2:11 AM 4096]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [5/18/2009 6:37 AM 1238344]
S3 CMC AntiRootkit Service;CMC AntiRootkit Servic;c:\windows\system32\drivers\cmcantirootkit.sys --> c:\windows\system32\drivers\cmcantirootkit.sys [?]
S3 ffs;ffs;c:\documents and settings\FryPan\My Documents\Downloads\ffsdrv-0.5.1-winxp\ffs.sys [4/21/2007 9:15 PM 61312]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [8/21/2009 6:33 AM 30136]
S3 TQQCSW;TQQCSW;c:\docume~1\FryPan\LOCALS~1\Temp\TQQCSW.exe --> c:\docume~1\FryPan\LOCALS~1\Temp\TQQCSW.exe [?]
S4 QRK;QRK;c:\docume~1\FryPan\LOCALS~1\Temp\QRK.exe --> c:\docume~1\FryPan\LOCALS~1\Temp\QRK.exe [?]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2/27/2009 5:03 AM 603904]
S4 VJHHXO;VJHHXO;c:\docume~1\FryPan\LOCALS~1\Temp\VJHHXO.exe --> c:\docume~1\FryPan\LOCALS~1\Temp\VJHHXO.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSDTDRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-sglfb.sys
SafeBoot-tga.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = sdafsdaf:80
FF - ProfilePath - c:\documents and settings\FryPan\Application Data\Mozilla\Firefox\Profiles\dfpjagct.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 01:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-03 1:23
ComboFix-quarantined-files.txt 2009-09-03 06:23
ComboFix2.txt 2009-09-01 01:38
ComboFix3.txt 2009-08-31 03:37

Pre-Run: 52,262,952,960 bytes free
Post-Run: 52,214,468,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

380 --- E O F --- 2009-08-21 15:23
logikz
Active Member
 
Posts: 5
Joined: August 28th, 2009, 2:35 am

Re: Extreme Malware. Format doesnt help.

Unread postby logikz » September 4th, 2009, 4:12 am

Name: BZub
Type: Trojan

Description:
A malicious program that has a hidden harmful routine to exploit system vulnerabilities.

Registry Keys:
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Control Panel\load


Name: BiFrost
Type: Backdoor

Description:
Gives someone else access to your computer by bypassing the normal authentication procedures.

Registry Keys:
HKEY_USERS\S-1-5-21-606747145-507921405-725345543-1003\software\Wget


i needs help! my firewall detected this ><
logikz
Active Member
 
Posts: 5
Joined: August 28th, 2009, 2:35 am

Re: Extreme Malware. Format doesnt help.

Unread postby turtledove » September 6th, 2009, 7:25 pm

Hello logikz,

Apologies for the delay, we have been very busy.

**Important**
Do not run any scans I have not asked for on your own
Copy or Print ALL instructions given for reference


Step 1

Remove P2P software
While looking over your log, I have noticed the following Peer-to-Peer filesharing programs are present on your computer:
**If still present:

eMule
FrostWire
uTorrent


These programs are the #1 source of infected systems. Although the software itself can be clean, the files you download are often infected with malware. Because of this, we do not allow P2P software present on machines we're cleaning anymore..

This means you must remove the above Peer-to-Peer filesharing programs and any others present on your machine. For a full explanation of our policy, please read the following P2P Program Policy.


You can uninstall these programs in the Control Panel -> Add/remove Programs. Please do so and post a new HijackThis log/Uninstall list.


Open My Computer and go to the following folders; delete the RED Named folders:
c:\documents and settings\FryPan\Application Data\eMule
c:\documents and settings\FryPan\Application Data\FrostWire
c:\documents and settings\FryPan\Application Data\uTorrent



Step 2

Please Download SysProt Antirootkit
you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors.

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items and check Hidden Objects Only at the bottom of the window.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


Step 3

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.


Post
log from SysProt folder
RSIT log.txt and info.txt
Any issues

Thank you

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Extreme Malware. Format doesnt help.

Unread postby askey127 » September 11th, 2009, 7:32 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware