nikkers1970
1 Copper

code 80073EFE and browser hijacking

Hi,

I get code 80073EFE when trying to run Windows Update. As well, I get random page redirects in Firefox and some websites I cannot access at all, they're consistently redirected. hxxp://www.phoenixviewer.com is one, though I know for a fact the site is legit and up and running as I can access parts of it if I know the direct URL.

This web page: hxxp://dl3.avagate.net/search.php just randomly opened as I was typing this post.

This is my MalawareBytes log run last night:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5124

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

11/16/2010 11:09:04 AM
mbam-log-2010-11-16 (11-09-04).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 428821
Time elapsed: 4 hour(s), 30 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Nikki\AppData\Local\Temp\1175.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
D:\Restored Files\Erich Von Gotha\A Very Special Prison\puprison02.jpg (Extension.Mismatch) -> Quarantined and deleted successfully.
D:\Restored Files\Tarsis\Nazi Doublecross\nazi_doublecross00.jpg (Extension.Mismatch) -> Quarantined and deleted successfully.

 

 

This is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:39:30 PM, on 11/16/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\AVG\avgtray.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
E:\Program Files\AVG\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\PikkuBot\PikkuBot-Flutterby_Swallowtail.exe
E:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
E:\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SHOUTcast Loader - {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Java\bin\jp2ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: SHOUTcast Radio Toolbar - {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll (file missing)
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] E:\Program Files\AVG\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: _Flutterby Swallowtail.lnk = E:\PikkuBot\PikkuStarter.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &SHOUTcast Search - C:\ProgramData\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O15 - Trusted Zone: http://get.adobe.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - E:\Program Files\AVG\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - E:\Program Files\AVG\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcg_device -   - C:\Windows\system32\dlcgcoms.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 9586 bytes

 

 

Thank you in advance for your help.

Nikki

 

0 Kudos
18 Replies
1972vet
5 Tungsten

Re: code 80073EFE and browser hijacking

Greetings nikkers1970 and Welcome to the Forums,
Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please download the free utility DDS. Double click dds.scr to run the tool

When it completes, DDS will open two (2) logs:


  • DDS.txt
  • Attach.txt

Save both reports to your desktop. 

Please include the following logs in your next reply, Thanks!:

DDS.txt

Attach.txt

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
nikkers1970
1 Copper

Re: code 80073EFE and browser hijacking

hi 1972vet, thanks for the quick reply. Following are the 2 logs. i'm also getting random "Host Process for Windows Services has stopped working" this is the details of the latest one:

Host Process for Windows Services has stopped working

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    svchost.exe
  Application Version:    6.0.6001.18000
  Application Timestamp:    47918b89
  Fault Module Name:    urlmon.dll
  Fault Module Version:    8.0.6001.18865
  Fault Module Timestamp:    4b078b47
  Exception Code:    c0000005
  Exception Offset:    0002df5e
  OS Version:    6.0.6002.2.2.0.768.3
  Locale ID:    4105
  Additional Information 1:    1fa2
  Additional Information 2:    8b27ae67edee9f193c029e554eeba4a9
  Additional Information 3:    e182
  Additional Information 4:    83207b1c152cafef8221edb9d9bc1559

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

DDS.txt:


DDS (Ver_10-11-10.01) - NTFSx86 
Run by Nikki at 18:22:04.55 on 11/16/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.2046.802 [GMT -8:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *disabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\AVG\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\AVG\avgtray.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
E:\Program Files\AVG\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
E:\PikkuBot\PikkuBot-Flutterby_Swallowtail.exe
E:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Siber Systems\GoodSync\GoodSync.exe
E:\Big Fish\Slingo Quest Hawaii\SlingoQuest2.exe
E:\Big Fish\Slingo Quest Hawaii\SlingoQuest2.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\AVG\avgui.exe
E:\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SHOUTcast Loader: {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\java\bin\jp2ssv.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: SHOUTcast Radio Toolbar: {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] e:\program files\avg\avgtray.exe
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk - e:\pikkubot\PikkuStarter.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &SHOUTcast Search - c:\programdata\shoutcast radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - e:\micros~2\office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: adobe.com\get
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\nikki\appdata\roaming\mozilla\firefox\profiles\sg942z11.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://urlseek.vmn.net/search.php?type=dns&tbn=vidtomp3dn&q=
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\nikki\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - plugin: e:\java\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\java\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: e:\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R2 avgwd;AVG WatchDog;e:\program files\avg\avgwdsvc.exe [2010-9-10 265400]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2010-6-18 81920]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2010-6-18 2736128]
S2 AVGIDSAgent;AVGIDSAgent;e:\program files\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-25 21504]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-2-10 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-2-10 3768]

=============== File Associations ===============

.txt=ntlfile

=============== Created Last 30 ================

2010-11-16 23:33:01    388096    ----a-r-    c:\users\nikki\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-15 20:55:25    553696    ----a-w-    c:\program files\mozilla firefox\uninstall\helper.exe
2010-11-15 20:55:05    25048    ----a-w-    c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-15 20:55:05    140248    ----a-w-    c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-11-15 20:55:01    66520    ----a-w-    c:\program files\mozilla firefox\plugins\npnul32.dll
2010-11-15 06:32:29    --------    d-----w-    c:\progra~2\FarmFrenzy3_Russia
2010-11-15 06:20:44    --------    d-----w-    c:\program files\iPod
2010-11-15 06:20:28    --------    d-----w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 06:14:20    --------    d-----w-    c:\program files\Bonjour
2010-11-14 23:54:13    --------    d-----w-    c:\windows\system32\drivers\AVG
2010-11-13 19:43:24    --------    d-----w-    c:\progra~2\Alwil Software
2010-11-13 10:06:30    --------    d-----w-    c:\progra~2\cerasus.media
2010-11-13 09:59:57    --------    d-----w-    c:\program files\iPod(91)
2010-11-12 02:45:00    --------    d-----w-    c:\users\nikki\appdata\roaming\Western Software Technologies
2010-11-12 02:26:50    --------    d-----w-    c:\users\nikki\appdata\roaming\MagicIndie
2010-11-12 02:14:04    --------    d-----w-    c:\users\nikki\appdata\roaming\Namco
2010-11-11 20:06:04    --------    d-----w-    c:\users\nikki\appdata\local\IBAGroup
2010-11-06 23:58:18    --------    d-----w-    c:\progra~2\Funny Bear Studio
2010-11-05 01:25:40    --------    d-----w-    c:\progra~2\Reflexive
2010-11-04 22:12:28    --------    d-----w-    c:\users\nikki\appdata\roaming\UNOUndercover
2010-10-26 11:03:03    --------    d--h--w-    C:\$AVG
2010-10-19 00:20:49    --------    d-----w-    c:\users\nikki\appdata\roaming\AVG10
2010-10-19 00:19:34    --------    d--h--w-    c:\progra~2\Common Files
2010-10-19 00:14:11    --------    d-----w-    c:\progra~2\AVG10
2010-10-18 18:16:55    --------    d-----w-    c:\progra~2\MFAData

==================== Find3M  ====================

2010-11-16 02:24:15    3350    --sha-w-    c:\windows\system32\KGyGaAvL.sys
2010-10-14 01:00:47    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-10-14 00:48:32    359487442    ----a-w-    C:\regbackup.reg
2010-10-07 20:23:02    91424    ----a-w-    c:\windows\system32\dnssd.dll
2010-10-07 20:23:02    107808    ----a-w-    c:\windows\system32\dns-sd.exe
2010-09-13 13:56:41    8147456    ----a-w-    c:\windows\system32\wmploc.DLL
2010-09-08 18:17:46    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2010-09-06 16:20:29    125952    ----a-w-    c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06    17920    ----a-w-    c:\windows\system32\netevent.dll
2010-08-31 15:46:37    954752    ----a-w-    c:\windows\system32\mfc40.dll
2010-08-31 15:46:37    954288    ----a-w-    c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31    531968    ----a-w-    c:\windows\system32\comctl32.dll
2010-08-31 13:27:38    2038272    ----a-w-    c:\windows\system32\win32k.sys
2010-08-26 16:37:45    157184    ----a-w-    c:\windows\system32\t2embed.dll
2010-08-20 16:05:07    867328    ----a-w-    c:\windows\system32\wmpmde.dll

=================== ROOTKIT  ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST325082 rev.3.AD -> Harddisk0\DR0 -> 

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87689CEC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xc54a2846; SUB DWORD [EBP-0x4], 0xc54a212e; PUSH EDI; CALL 0xffffffffffffe10c;  }
1 ntkrnlpa!IofCallDriver[0x8384A962] -> \Device\Harddisk0\DR0[0x8715EAC8]
3 CLASSPNP[0x897AA8B3] -> ntkrnlpa!IofCallDriver[0x8384A962] -> [0x86C0CA60]
5 acpi[0x83E0F6BC] -> ntkrnlpa!IofCallDriver[0x8384A962] -> [0x85E5D9C0]
[0x874B3678] -> IRP_MJ_CREATE -> 0x87689CEC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0;  }
detected disk devices:
\Device\00000050 -> \??\SCSI#Disk&Ven_ST325082&Prod_0AS#4&21479b0c&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:25:37.73 ===============

Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 08/24/2008 11:24:47 PM
System Uptime: 11/16/2010 2:05:49 PM (4 hours ago)

Motherboard: Dell Inc |  | 0CT103
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2  | 2000/1000mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 49 GiB total, 14.886 GiB free.
😧 is FIXED (NTFS) - 10 GiB total, 5.193 GiB free.
E: is FIXED (NTFS) - 174 GiB total, 71.171 GiB free.
F: is CDROM (UDF)
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel

==== System Restore Points ===================


==== Installed Programs ======================

4 Elements
A Magnetic Adventure
Action Replay Code Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
Agatha Christie: 4:50 from Paddington
AI RoboForm
Al Emmo's Postcards from Anozira
Ancient Adventures - Gift of Zeus
Ancient Hearts and Spades
Antique Road Trip USA
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Artifact Quest
µTorrent
Audacity 1.3.12 (Unicode)
Auslogics Disk Defrag
AVG 2011
Big City Adventure: Vancouver
Big Fish Games: Game Manager
Blood Oath
Blooming Daisies
Bonjour
Brrrmuda Triangle
Brunhilda and the Dark Crystal
Build-a-Lot: The Elizabethan Era
BumbleBee Jewel
Burger Battle
Buried in Time
bvhacker
Cake Mania: Lights, Camera, Action!
CCleaner (remove only)
CDDRV_Installer
Chameleon Gems
Chime Spirits
Club Control 2
Coffee Rush 2
Corel Paint Shop Pro Photo XI
Corel Snapfire
Deep Blue Sea 2
Deepica
DragonStone
Drawn: Dark Flight &reg; Collector's Editon
EA Download Manager
ebgcInfra
ebgcRes
ebgcSDK
Eden's Quest: The Hunt for Akua
Everything 1.2.1.371
Explorer: Contraband Mystery
Faded Reality
Family Feud: Battle of the Sexes
Farm Craft 2
Farm Frenzy
Farm Frenzy: Gone Fishing
FFmpeg for Audacity on Windows
FileZilla Client 3.3.3
Fill Up 2
Firebird 2.1.3.18185 (Win32)
Fishdom 2
Fishdom: Seasons Under the Sea
Foxit Reader
GoodSync
Google Talk (remove only)
Governor of Poker 2
Heroes of Kalevala
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
I Spy Fantasy
I SPY: Treasure Hunt
InWorldz 1.0.0.10
iTunes
James Patterson Women's Murder Club: Little Black Lies
Jass-2-pub (remove only)
Java Auto Updater
Java(TM) 6 Update 22
Jewel Quest Heritage
KhalInstallWrapper
Knightfall: Death and Taxes
Laby
leogeo_timebeat
Logitech SetPoint
Making Mr. Right
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
MobileMe Control Panel
Monarch - The Butterfly King
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.6)
MSI to redistribute MS VS2005 CRT libraries
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Mysterious Travel - The Magic Diary
Mystery Case Files: Ravenhearst &reg;
NoteTab Light 6 (Remove only)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OpenAL
PAC-MAN Pizza Parlor
Pakoombo
Phoenix Viewer 1.5.1.373
PikkuBot (remove only)
Pirate Solitaire
Posh Boutique 2
PrettyLoaded ScreenSaver
Puppet Show: Souls of the Innocent Collector's Edition
Pure Networks Platform
Puzzle Bots
Puzzle Quest(TM) 2
QuickTime
Revo Uninstaller 1.90
RocketDock 1.3.5
Romancing the Seven Wonders: Great Pyramids

Royal Trouble
SAM Broadcaster (remove only)
Samurai Last Exam
Season Match: Curse of the Witch Crow
Secrets of the Dragon Wheel
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Simajo: The Travel Mystery Game
Skype™ 4.1
Slime Army
Slingo Quest Egypt
Slingo Quest Hawaii
Snowglobe (remove only)
Soccer Cup Solitaire
Solitaire Cruise
Spa Mania 2
Special Enquiry Detail: The Hand that Feeds
SPORE™
SPORE™ Creepy & Cute Parts Pack
SPORE™ Galactic Adventures
Stand O'Food
Strange Cases - The Lighthouse Mystery
Strange Cases: The Tarot Card Mystery
Super Bounce Out
System Requirements Lab
The Crop Circles Mystery
The Game Of LIFE PTS
The Great Pharaoh
The Inquisitor
The Legend of the Golden Tome
The Mysterious Past of Gregory Phoenix
The Perfect Tree
Trial of the Gods: Ariadne's Journey
Trinklit Supreme
Tropix
Tropix 2
Ulead FantasyWarp.Plugin 1.0
Ulead Particle.Plugin 1.0
Uniblue ProcessScanner
UNO(R) - Undercover(TM)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Vault Cracker
VC 9.0 Runtime
Veronica and the Book of Dreams
VLC media player 1.0.3
Winamp
Winamp Detector Plug-in
Windows Media Player Firefox Plugin
WinRAR archiver
Wispa Forest
Woodville Chronicles
World Class Solitaire
World Mosaics
World Mosaics 2
World Mosaics 3 - Fairy Tales
World Riddles: Seven Wonders
Xvid 1.2.2 final uninstall
Yahoo! Messenger
ZoneAlarm
Zuma's Revenge - Adventure
Zuma Deluxe 1.0
Zuzu & Pirates

==== End Of File ===========================

Thanks!

0 Kudos
1972vet
5 Tungsten

Re: code 80073EFE and browser hijacking

Please uninstall the following software:
µTorrent

Next::
Please read carefully and follow these steps.


  • Download
TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on
TDSSKiller.exe to run the application, then on Start Scan.
 
 

 
 
  • If an infected file is detected, the default action will be
Cure, click on Continue.
 
 

 
 
  • If a suspicious file is detected, the default action will be
Skip, click on Continue.
 
 

 
 
  • It may ask you to reboot the computer to complete the process. Click on
Reboot Now.
 
 

 
 
  • If no reboot is require, click on
Report. A log file should appear. 
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "
TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please remember to copy and paste the contents of that file back here on your next reply.


Next, please uninstall AVG software as it will interfere with the utility we need to use next:
Please download combofix from This Webpage...and read through the instructions there for running the tool.
 
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED
 
If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems. 

 
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.
 
Once installed, a blue screen prompt should appear that reads as follows:
 
The Recovery Console was successfully installed.
 
When you see that screen, please continue as follows:
 

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
Yes to allow ComboFix to continue scanning for malware.

 
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply along with the log produced from your TDSSKiller scan. Thanks!
 
Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
nikkers1970
1 Copper

Re: code 80073EFE and browser hijacking

Something has worked right, i have my cpu temperature gadget back to working and it stopped working after i got this rootkit.

uTorrent: uninstalled

TDSSKiller Log:

2010/11/17 11:58:28.0854    TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/17 11:58:28.0854    ================================================================================
2010/11/17 11:58:28.0854    SystemInfo:
2010/11/17 11:58:28.0854   
2010/11/17 11:58:28.0854    OS Version: 6.0.6002 ServicePack: 2.0
2010/11/17 11:58:28.0854    Product type: Workstation
2010/11/17 11:58:28.0854    ComputerName: KITCHEN
2010/11/17 11:58:28.0855    UserName: Nikki
2010/11/17 11:58:28.0855    Windows directory: C:\Windows
2010/11/17 11:58:28.0855    System windows directory: C:\Windows
2010/11/17 11:58:28.0855    Processor architecture: Intel x86
2010/11/17 11:58:28.0855    Number of processors: 2
2010/11/17 11:58:28.0855    Page size: 0x1000
2010/11/17 11:58:28.0855    Boot type: Normal boot
2010/11/17 11:58:28.0855    ================================================================================
2010/11/17 11:58:30.0868    Initialize success
2010/11/17 11:58:35.0114    ================================================================================
2010/11/17 11:58:35.0114    Scan started
2010/11/17 11:58:35.0114    Mode: Manual;
2010/11/17 11:58:35.0114    ================================================================================
2010/11/17 11:58:38.0179    ACPI            (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/11/17 11:58:38.0698    adp94xx         (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/11/17 11:58:39.0229    adpahci         (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/11/17 11:58:39.0485    adpu160m        (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/11/17 11:58:40.0599    adpu320         (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/11/17 11:58:41.0887    AFD             (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/11/17 11:58:42.0254    agp440          (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/11/17 11:58:42.0536    aic78xx         (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/11/17 11:58:42.0970    aliide          (3a99cb23a2d326fd532618705d6e3048) C:\Windows\system32\drivers\aliide.sys
2010/11/17 11:58:43.0395    amdagp          (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/11/17 11:58:43.0476    amdide          (4333c133dbd71c7d7fe4fb1b83f9ee3e) C:\Windows\system32\drivers\amdide.sys
2010/11/17 11:58:43.0562    AmdK7           (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/11/17 11:58:43.0626    AmdK8           (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/11/17 11:58:44.0105    arc             (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/11/17 11:58:44.0560    arcsas          (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/11/17 11:58:44.0804    AsyncMac        (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/11/17 11:58:45.0151    atapi           (a779ca2c76da4fcb595e692c05e8e4eb) C:\Windows\system32\drivers\atapi.sys
2010/11/17 11:58:45.0444    bcm4sbxp        (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
2010/11/17 11:58:45.0680    Beep            (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/11/17 11:58:46.0183    bowser          (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/11/17 11:58:46.0250    BrFiltLo        (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/11/17 11:58:46.0555    BrFiltUp        (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/11/17 11:58:46.0781    Brserid         (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/11/17 11:58:47.0227    BrSerWdm        (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/11/17 11:58:47.0575    BrUsbMdm        (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/11/17 11:58:47.0864    BrUsbSer        (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/11/17 11:58:48.0408    BTHMODEM        (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/11/17 11:58:48.0809    cdfs            (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/11/17 11:58:49.0137    cdrom           (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/11/17 11:58:49.0364    circlass        (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/11/17 11:58:49.0592    CLFS            (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/11/17 11:58:50.0599    cmdide          (dfb94a6fc3a26972b0461ab5f1d8272b) C:\Windows\system32\drivers\cmdide.sys
2010/11/17 11:58:51.0219    Compbatt        (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2010/11/17 11:58:51.0707    crcdisk         (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/11/17 11:58:52.0085    Crusoe          (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/11/17 11:58:52.0516    DfsC            (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/11/17 11:58:52.0866    disk            (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/11/17 11:58:53.0359    drmkaud         (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/11/17 11:58:53.0721    DXGKrnl         (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/11/17 11:58:54.0085    E1G60           (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/11/17 11:58:54.0351    Ecache          (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/11/17 11:58:54.0928    elxstor         (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/11/17 11:58:55.0394    exfat           (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/11/17 11:58:55.0629    fastfat         (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/11/17 11:58:55.0969    fdc             (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/11/17 11:58:56.0376    FileInfo        (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/11/17 11:58:56.0819    Filetrace       (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/11/17 11:58:57.0061    flpydisk        (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/11/17 11:58:57.0613    FltMgr          (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/11/17 11:58:58.0307    Fs_Rec          (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/11/17 11:58:58.0667    gagp30kx        (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/11/17 11:58:59.0130    GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/11/17 11:58:59.0439    HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2010/11/17 11:58:59.0701    HDAudBus        (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/11/17 11:59:00.0200    HidBth          (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/11/17 11:59:00.0548    HidIr           (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/11/17 11:59:00.0996    HidUsb          (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/11/17 11:59:01.0413    HpCISSs         (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/11/17 11:59:01.0905    HTTP            (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/11/17 11:59:02.0553    i2omp           (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/11/17 11:59:03.0010    i8042prt        (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/11/17 11:59:03.0416    iaStorV         (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/11/17 11:59:03.0873    iirsp           (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/11/17 11:59:04.0462    intelide        (1c60617d54bc9f035671a44b75d9f7cc) C:\Windows\system32\drivers\intelide.sys
2010/11/17 11:59:04.0765    intelppm        (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/11/17 11:59:05.0004    IpFilterDriver  (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/11/17 11:59:05.0686    IPMIDRV         (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/11/17 11:59:06.0098    IPNAT           (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/11/17 11:59:06.0326    IRENUM          (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/11/17 11:59:06.0529    isapnp          (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/11/17 11:59:06.0808    iScsiPrt        (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/11/17 11:59:07.0164    iteatapi        (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/11/17 11:59:07.0587    iteraid         (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/11/17 11:59:07.0847    kbdclass        (a8c769cf01896c356dfda527cfb8c9e8) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/17 11:59:07.0847    Suspicious file (Forged): C:\Windows\system32\DRIVERS\kbdclass.sys. Real md5: a8c769cf01896c356dfda527cfb8c9e8, Fake md5: 37605e0a8cf00cbba538e753e4344c6e
2010/11/17 11:59:07.0881    kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/17 11:59:08.0252    kbdhid          (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/11/17 11:59:08.0691    KSecDD          (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/11/17 11:59:09.0152    LHidFilt        (24e0ddb99aeccf86bb37702611761459) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2010/11/17 11:59:09.0405    lltdio          (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/11/17 11:59:09.0721    LMouFilt        (d58b330d318361a66a9fe60d7c9b4951) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2010/11/17 11:59:10.0056    LSI_FC          (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/11/17 11:59:10.0532    LSI_SAS         (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/11/17 11:59:11.0079    LSI_SCSI        (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/11/17 11:59:11.0727    luafv           (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/11/17 11:59:12.0299    megasas         (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/11/17 11:59:12.0568    Modem           (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/11/17 11:59:12.0985    monitor         (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/11/17 11:59:13.0454    mouclass        (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/11/17 11:59:13.0658    mouhid          (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/11/17 11:59:13.0877    MountMgr        (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/11/17 11:59:14.0190    mpio            (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/11/17 11:59:14.0487    mpsdrv          (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/11/17 11:59:14.0809    Mraid35x        (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/11/17 11:59:15.0195    MRxDAV          (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/11/17 11:59:15.0389    mrxsmb          (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/11/17 11:59:15.0604    mrxsmb10        (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/11/17 11:59:15.0919    mrxsmb20        (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/11/17 11:59:16.0310    msahci          (f0ec3a4e0693a34b148723b4da31668c) C:\Windows\system32\drivers\msahci.sys
2010/11/17 11:59:16.0577    msdsm           (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/11/17 11:59:17.0073    Msfs            (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/11/17 11:59:17.0379    msisadrv        (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/11/17 11:59:17.0712    MSKSSRV         (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/11/17 11:59:17.0968    MSPCLOCK        (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/11/17 11:59:18.0226    MSPQM           (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/11/17 11:59:18.0569    MsRPC           (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/11/17 11:59:19.0025    mssmbios        (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/11/17 11:59:19.0378    MSTEE           (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/11/17 11:59:19.0773    Mup             (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/11/17 11:59:20.0448    NativeWifiP     (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/11/17 11:59:21.0154    NDIS            (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/11/17 11:59:22.0010    NdisTapi        (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/11/17 11:59:22.0756    Ndisuio         (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/11/17 11:59:23.0304    NdisWan         (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/11/17 11:59:23.0618    NDProxy         (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/11/17 11:59:24.0038    NetBIOS         (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/11/17 11:59:24.0301    netbt           (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/11/17 11:59:24.0620    nfrd960         (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/11/17 11:59:24.0818    Npfs            (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/11/17 11:59:25.0168    nsiproxy        (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/11/17 11:59:25.0760    Ntfs            (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/11/17 11:59:26.0188    ntrigdigi       (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/11/17 11:59:26.0524    Null            (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/11/17 11:59:27.0732    nvlddmkm        (484844c0d892b42ecc5e6b063d072a38) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/11/17 11:59:28.0044    nvraid          (6f785db62a6d8f3fafd3e5695277e849) C:\Windows\system32\drivers\nvraid.sys
2010/11/17 11:59:28.0442    nvstor          (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
2010/11/17 11:59:28.0696    nvstor32        (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\DRIVERS\nvstor32.sys
2010/11/17 11:59:29.0066    nv_agp          (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/11/17 11:59:30.0061    ohci1394        (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/11/17 11:59:30.0690    Parport         (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/11/17 11:59:30.0948    partmgr         (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/11/17 11:59:31.0854    Parvdm          (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/11/17 11:59:32.0567    pci             (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/11/17 11:59:32.0989    pciide          (20b869152448f80ac49cf10264e91f5e) C:\Windows\system32\drivers\pciide.sys
2010/11/17 11:59:33.0558    pcmcia          (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/11/17 11:59:34.0071    PEAUTH          (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/11/17 11:59:34.0475    pnarp           (6a479a7897941d3a5070a292321a37f3) C:\Windows\system32\DRIVERS\pnarp.sys
2010/11/17 11:59:34.0923    PptpMiniport    (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/11/17 11:59:35.0159    Processor       (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/11/17 11:59:35.0599    PSched          (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/11/17 11:59:36.0080    ql2300          (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/11/17 11:59:36.0457    ql40xx          (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/11/17 11:59:36.0887    QWAVEdrv        (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/11/17 11:59:37.0347    RasAcd          (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/11/17 11:59:37.0857    Rasl2tp         (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/11/17 11:59:38.0273    RasPppoe        (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/11/17 11:59:38.0628    RasSstp         (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/11/17 11:59:38.0970    rdbss           (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/11/17 11:59:39.0301    RDPCDD          (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/11/17 11:59:39.0585    rdpdr           (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/11/17 11:59:39.0934    RDPENCDD        (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/11/17 11:59:40.0377    RDPWD           (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/11/17 11:59:40.0684    rspndr          (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/11/17 11:59:40.0976    sbp2port        (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/11/17 11:59:41.0316    secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/11/17 11:59:41.0673    Serenum         (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/11/17 11:59:42.0106    Serial          (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/11/17 11:59:42.0417    sermouse        (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/11/17 11:59:42.0758    sffdisk         (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/11/17 11:59:43.0065    sffp_mmc        (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/11/17 11:59:43.0507    sffp_sd         (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/11/17 11:59:43.0992    sfloppy         (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/11/17 11:59:44.0593    sisagp          (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/11/17 11:59:44.0975    SiSRaid2        (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/11/17 11:59:45.0393    SiSRaid4        (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/11/17 11:59:45.0774    Smb             (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/11/17 11:59:45.0959    SndTAudio       (fa11bef5d56168a3f4017ad41b74602e) C:\Windows\system32\drivers\SndTAudio.sys
2010/11/17 11:59:46.0199    SndTVideo       (2b5b846841eee00395d97b78d987c976) C:\Windows\system32\DRIVERS\SndTVideo.sys
2010/11/17 11:59:46.0769    spldr           (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/11/17 11:59:47.0166    srv             (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/11/17 11:59:47.0386    srv2            (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/11/17 11:59:47.0795    srvnet          (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/11/17 11:59:48.0006    swenum          (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/11/17 11:59:48.0215    Symc8xx         (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/11/17 11:59:48.0473    Sym_hi          (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/11/17 11:59:48.0965    Sym_u3          (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/11/17 11:59:49.0332    Tcpip           (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\drivers\tcpip.sys
2010/11/17 11:59:49.0782    Tcpip6          (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\DRIVERS\tcpip.sys
2010/11/17 11:59:50.0035    tcpipreg        (9bf343f4c878d6ad6922b2c5a4fefe0d) C:\Windows\system32\drivers\tcpipreg.sys
2010/11/17 11:59:50.0401    TDPIPE          (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/11/17 11:59:50.0748    TDTCP           (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/11/17 11:59:50.0950    tdx             (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/17 11:59:51.0183    TermDD          (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/11/17 11:59:51.0644    tssecsrv        (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/11/17 11:59:51.0869    tunmp           (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/11/17 11:59:52.0126    tunnel          (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/11/17 11:59:52.0427    uagp35          (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/11/17 11:59:52.0712    udfs            (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/11/17 11:59:53.0049    uliagpkx        (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/11/17 11:59:53.0371    uliahci         (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/11/17 11:59:53.0761    UlSata          (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/11/17 11:59:54.0132    ulsata2         (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/11/17 11:59:54.0630    umbus           (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/11/17 11:59:54.0981    USBAAPL         (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/11/17 11:59:55.0279    usbccgp         (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/11/17 11:59:55.0545    usbcir          (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/11/17 11:59:55.0777    usbehci         (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/11/17 11:59:56.0005    usbhub          (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/11/17 11:59:56.0378    USBIO           (f90d8f845095fcd6924e3d751c04e442) C:\Windows\system32\Drivers\usbio.sys
2010/11/17 11:59:56.0638    usbohci         (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/11/17 11:59:56.0913    usbprint        (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/11/17 11:59:57.0194    usbscan         (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/11/17 11:59:57.0459    USBSTOR         (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/11/17 11:59:57.0794    usbuhci         (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/11/17 11:59:58.0015    vga             (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/11/17 11:59:58.0515    VgaSave         (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/11/17 11:59:58.0934    viaagp          (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/11/17 11:59:59.0496    ViaC7           (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/11/17 11:59:59.0965    viaide          (58c8d5ac5c3eef40e7e704a5ced7987d) C:\Windows\system32\drivers\viaide.sys
2010/11/17 12:00:00.0513    volmgr          (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/11/17 12:00:00.0768    volmgrx         (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/11/17 12:00:00.0981    volsnap         (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/11/17 12:00:01.0461    Vsdatant        (6be75cfce25e42e79c0757c60d88fecb) C:\Windows\system32\DRIVERS\vsdatant.sys
2010/11/17 12:00:02.0114    vsmraid         (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/11/17 12:00:02.0416    WacomPen        (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/11/17 12:00:02.0619    Wanarp          (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/17 12:00:02.0653    Wanarpv6        (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/17 12:00:02.0939    Wd              (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/11/17 12:00:03.0301    Wdf01000        (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/11/17 12:00:03.0742    WmiAcpi         (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/11/17 12:00:03.0994    WpdUsb          (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/11/17 12:00:04.0283    ws2ifsl         (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/11/17 12:00:04.0644    WUDFRd          (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/11/17 12:00:04.0766    ================================================================================
2010/11/17 12:00:04.0766    Scan finished
2010/11/17 12:00:04.0766    ================================================================================
2010/11/17 12:00:04.0786    Detected object count: 1
2010/11/17 12:00:21.0525    kbdclass        (a8c769cf01896c356dfda527cfb8c9e8) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/17 12:00:21.0526    Suspicious file (Forged): C:\Windows\system32\DRIVERS\kbdclass.sys. Real md5: a8c769cf01896c356dfda527cfb8c9e8, Fake md5: 37605e0a8cf00cbba538e753e4344c6e
2010/11/17 12:00:32.0506    Backup copy not found, trying to cure infected file..
2010/11/17 12:00:32.0506    Cure success, using it..
2010/11/17 12:00:32.0664    C:\Windows\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/11/17 12:00:32.0664    Rootkit.Win32.TDSS.tdl3(kbdclass) - User select action: Cure
2010/11/17 12:02:30.0001    Deinitialize success

 

ComboFix Log:

ComboFix 10-11-17.01 - Nikki 11/17/2010  12:36:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.2046.1280 [GMT -8:00]
Running from: e:\desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nikki\AppData\Roaming\.#

.
(((((((((((((((((((((((((   Files Created from 2010-10-17 to 2010-11-17  )))))))))))))))))))))))))))))))
.

2010-11-17 20:47 . 2010-11-17 20:50    --------    d-----w-    c:\users\Nikki\AppData\Local\temp
2010-11-17 20:47 . 2010-11-17 20:47    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-11-16 23:33 . 2010-11-16 23:33    388096    ----a-r-    c:\users\Nikki\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-15 23:54 . 2010-11-15 23:54    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2010-11-15 20:55 . 2010-10-27 06:13    553696    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-15 20:55 . 2010-10-27 06:13    25048    ----a-w-    c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-15 20:55 . 2010-10-27 06:13    140248    ----a-w-    c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-15 20:55 . 2010-10-27 06:13    66520    ----a-w-    c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-15 06:32 . 2010-11-15 06:58    --------    d-----w-    c:\programdata\FarmFrenzy3_Russia
2010-11-15 06:20 . 2010-11-15 06:20    --------    d-----w-    c:\program files\iPod
2010-11-15 06:20 . 2010-11-15 06:26    --------    d-----w-    c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 06:19 . 2010-11-15 06:19    --------    d-----w-    c:\program files\Apple Software Update
2010-11-15 06:14 . 2010-11-15 06:14    --------    d-----w-    c:\program files\Bonjour
2010-11-13 19:43 . 2010-11-13 19:43    --------    d-----w-    c:\programdata\Alwil Software
2010-11-13 10:06 . 2010-11-13 10:06    --------    d-----w-    c:\programdata\cerasus.media
2010-11-12 02:45 . 2010-11-12 02:45    --------    d-----w-    c:\users\Nikki\AppData\Roaming\Western Software Technologies
2010-11-12 02:26 . 2010-11-12 02:26    --------    d-----w-    c:\users\Nikki\AppData\Roaming\MagicIndie
2010-11-12 02:14 . 2010-11-12 02:14    --------    d-----w-    c:\users\Nikki\AppData\Roaming\Namco
2010-11-11 20:06 . 2010-11-11 20:06    --------    d-----w-    c:\users\Nikki\AppData\Local\IBAGroup
2010-11-06 23:58 . 2010-11-06 23:58    --------    d-----w-    c:\programdata\Funny Bear Studio
2010-11-05 01:25 . 2010-11-05 01:25    --------    d-----w-    c:\programdata\Reflexive
2010-11-04 22:12 . 2010-11-04 22:12    --------    d-----w-    c:\users\Nikki\AppData\Roaming\UNOUndercover
2010-10-26 11:03 . 2010-10-26 11:03    --------    d-----w-    C:\$AVG
2010-10-19 00:20 . 2010-11-15 00:08    --------    d-----w-    c:\users\Nikki\AppData\Roaming\AVG10
2010-10-19 00:19 . 2010-10-19 00:19    --------    d--h--w-    c:\programdata\Common Files
2010-10-19 00:14 . 2010-11-17 19:43    --------    d-----w-    c:\programdata\AVG10

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-17 20:04 . 2008-08-25 20:07    35384    ----a-w-    c:\windows\system32\drivers\kbdclass.sys
2010-10-14 01:00 . 2010-04-16 17:35    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-10-14 00:48 . 2010-10-14 00:45    359487442    ----a-w-    C:\regbackup.reg
2010-10-07 20:23 . 2010-10-07 20:23    91424    ----a-w-    c:\windows\system32\dnssd.dll
2010-10-07 20:23 . 2010-10-07 20:23    107808    ----a-w-    c:\windows\system32\dns-sd.exe
2010-09-13 13:56 . 2010-10-12 19:07    8147456    ----a-w-    c:\windows\system32\wmploc.DLL
2010-09-08 18:17 . 2010-09-08 18:17    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2010-09-06 16:20 . 2010-10-12 19:12    125952    ----a-w-    c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-12 19:12    17920    ----a-w-    c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-12 19:12    304128    ----a-w-    c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-12 19:12    145408    ----a-w-    c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-12 19:12    102400    ----a-w-    c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-12 19:09    954752    ----a-w-    c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-12 19:09    954288    ----a-w-    c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-12 18:49    531968    ----a-w-    c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-12 19:11    2038272    ----a-w-    c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-12 19:10    157184    ----a-w-    c:\windows\system32\t2embed.dll
2010-08-20 16:05 . 2010-10-12 18:54    867328    ----a-w-    c:\windows\system32\wmpmde.dll
.

------- Sigcheck -------

[-] 2010-11-17 20:04 . E2BC1BC53CFCBBFEF5D269217F53B90C . 35384 . . [------] . . c:\windows\System32\drivers\kbdclass.sys
[7] 2008-08-25 . B076B2AB806B3F696DAB21375389101C . 35384 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys
[7] 2008-08-25 . B076B2AB806B3F696DAB21375389101C . 35384 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\kbdclass.sys
[7] 2008-08-25 . C9B0CF786D5F151A43C7BE8E243F2819 . 35384 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\kbdclass.sys
[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\kbdclass.sys
[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\kbdclass.sys
[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\kbdclass.sys
[7] 2008-01-19 . 37605E0A8CF00CBBA538E753E4344C6E . 35384 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\kbdclass.sys
[7] 2006-11-02 . 1A48765F92BA1A88445FC25C9C9D94FC . 32872 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\kbdclass.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-09 451896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:"

c:\users\Nikki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_Flutterby Swallowtail.lnk - e:\pikkubot\PikkuStarter.exe [2009-2-17 13824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2960264855-3727281212-3489713650-1000]
"EnableNotificationsRef"=dword:00000001

R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-02-03 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\DRIVERS\SndTVideo.sys [2009-02-03 3768]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2009-07-23 81920]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2009-07-23 2736128]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{BEAFF61F-CE39-47DF-A7FA-AAAFE5EBEF17}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
IE: &SHOUTcast Search - c:\programdata\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - e:\micros~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: adobe.com\get
FF - ProfilePath - c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\sg942z11.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://urlseek.vmn.net/search.php?type=dns&tbn=vidtomp3dn&q=
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nikki\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: e:\java\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\java\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.txt=ntlfile
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-dlcgmon - c:\program files\Dell AIO 810\dlcgmon.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-BFG-Cake Mania - Lights, Camera, Action - e:\big fish\Cake Mania - Lights
AddRemove-EADM - c:\program files\Electronic Arts\EADM\Uninstall.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 12:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2960264855-3727281212-3489713650-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{589163DF-2FB5-A5F0-4CDF-262BF46F7FF8}*]
"hagjbklpijljagjh"=hex:6a,61,69,67,68,68,6e,6a,6a,61,6e,69,6f,63,6e,6d,6c,65,
   63,67,00,62
"iamhedffjjdfppoege"=hex:6a,61,69,67,67,68,69,6a,65,63,61,62,69,67,68,64,67,6c,
   70,6e,00,00

[HKEY_USERS\S-1-5-21-2960264855-3727281212-3489713650-1000\Software\SecuROM\License information*]
"datasecu"=hex:fc,b0,33,50,3b,0f,40,9f,ae,63,8c,b7,59,21,21,ae,8a,20,01,92,88,
   cb,47,5f,43,de,a4,7b,a5,d3,16,23,55,82,13,2b,c3,f9,e0,e6,d1,82,52,f7,5d,d0,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{1524e57c-7a2c-4e9e-bef9-e39050173417}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c00188b
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9aef0316-6cff-4db5-a90c-3c859e49e83c}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0b000000
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{fc62bc20-def3-4580-ae5b-01bf321918b9}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e020054
"Dhcpv6State"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2880)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-11-17  12:55:30
ComboFix-quarantined-files.txt  2010-11-17 20:55

Pre-Run: 16,141,365,248 bytes free
Post-Run: 16,373,657,600 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=55 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55
- - End Of File - - F00278F6D1A40D6E542CAB756F6F082F

 

Please let me know when i can put AVG back on, thanks!

0 Kudos
1972vet
5 Tungsten

Re: code 80073EFE and browser hijacking

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe
 
Combofix will run again automatically. Please post back the new log that will be generated. At this point, please run a manual update to your on board mbam...then run a "quick scan". I'd like to see that log as well. Let's see how things look after this combofix run and  the mbam scan then we can think about reinstalling AVG. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

KILLALL::

DDS::
StartupFolder: c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk - e:\pikkubot\PikkuStarter.exe
Trusted Zone: adobe.com\get

DirLook:: 
c:\progra~2\FarmFrenzy3_Russia
c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
c:\progra~2\cerasus.media
c:\progra~2\Alwil Software

File::
c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk

Folder::
e:\pikkubot

FCopy::
c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys | c:\windows\System32\drivers\kbdclass.sys

Regnull::
[HKEY_USERS\S-1-5-21-2960264855-3727281212-3489713650-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{589163DF-2FB5-A5F0-4CDF-262BF46F7FF8}*]

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{1524e57c-7a2c-4e9e-bef9-e39050173417}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9aef0316-6cff-4db5-a90c-3c859e49e83c}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{fc62bc20-def3-4580-ae5b-01bf321918b9}]

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
nikkers1970
1 Copper

Re: code 80073EFE and browser hijacking

this line: StartupFolder: c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk - e:\pikkubot\PikkuStarter.exe will that affect my PikkuBot program? It is safe, it runs a bot on Second Life and i've had it running for a couple of months, long before i got infected.

0 Kudos
1972vet
5 Tungsten

Re: code 80073EFE and browser hijacking

If you are certain without doubt that it is safe, then by all means, remove it from the script.

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos
nikkers1970
1 Copper

Re: code 80073EFE and browser hijacking

I left it in, only because I didn't want to tamper with the code you gave me. I can reinstall it later. I had a few minutes of worry as ComboFix rebooted my computer automatically and when it's generating the log it says not to start any programs (all my startup programs were starting to run and i had no way to stop them) but i think it all worked okay. Here is the log:

ComboFix 10-11-17.01 - Nikki 11/17/2010  19:18:14.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.2046.886 [GMT -8:00]
Running from: e:\desktop\ComboFix.exe
Command switches used :: e:\desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}

FILE ::
"c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\nikki\appdata\roaming\micros~1\windows\startm~1\programs\startup\_flutt~1.lnk
e:\pikkubot
e:\pikkubot\config\ANSWERS.txt
e:\pikkubot\config\DANCES.txt
e:\pikkubot\config\DYNAMIC.txt
e:\pikkubot\config\flutterby_swallowtail-BOT_LOCATION.txt
e:\pikkubot\config\flutterby_swallowtail-BOT_PRIM.txt
e:\pikkubot\config\flutterby_swallowtail-BOT_SIM.txt
e:\pikkubot\config\flutterby_swallowtail-CONFIG.md5
e:\pikkubot\config\flutterby_swallowtail-CONFIG.txt
e:\pikkubot\config\flutterby_swallowtail-HISTORY.txt
e:\pikkubot\config\flutterby_swallowtail-LAST.txt
e:\pikkubot\config\flutterby_swallowtail-MINIMIZED.txt
e:\pikkubot\config\flutterby_swallowtail-SIZE.txt
e:\pikkubot\config\MACROS.txt
e:\pikkubot\config\RANDOM.txt
e:\pikkubot\config\SUPPORT.txt
e:\pikkubot\config\TELEPORTS.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-12.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-13.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-14.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-15.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-16.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-17.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-18.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-19.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-20.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-21.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-22.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-23.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-24.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-25.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-26.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-27.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-28.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-29.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-30.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-10-31.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-01.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-02.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-03.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-04.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-05.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-06.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-07.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-08.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-09.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-10.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-11.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-12.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-13.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-14.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-15.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-16.txt
e:\pikkubot\log\flutterby_swallowtail-LOGFILE-2010-11-17.txt
e:\pikkubot\log\flutterby_swallowtail-STATUS.txt
e:\pikkubot\log\flutterby_swallowtail-TELEPORT_HISTORY.txt
e:\pikkubot\log4net.dll
e:\pikkubot\NOEXEC.dat
e:\pikkubot\openjpeg-dotnet-x86_64.dll
e:\pikkubot\openjpeg-dotnet.dll
e:\pikkubot\OpenMetaverse.dll
e:\pikkubot\OpenMetaverse.Rendering.Meshmerizer.dll
e:\pikkubot\OpenMetaverse.Rendering.Simple.dll
e:\pikkubot\OpenMetaverse.StructuredData.dll
e:\pikkubot\OpenMetaverse.Utilities.dll
e:\pikkubot\openmetaverse_data\avatar_lad.xml
e:\pikkubot\openmetaverse_data\blush_alpha.tga
e:\pikkubot\openmetaverse_data\body_skingrain.tga
e:\pikkubot\openmetaverse_data\bodyfreckles_alpha.tga
e:\pikkubot\openmetaverse_data\bump_face_wrinkles.tga
e:\pikkubot\openmetaverse_data\bump_head_base.tga
e:\pikkubot\openmetaverse_data\bump_lowerbody_base.tga
e:\pikkubot\openmetaverse_data\bump_pants_wrinkles.tga
e:\pikkubot\openmetaverse_data\bump_shirt_wrinkles.tga
e:\pikkubot\openmetaverse_data\bump_upperbody_base.tga
e:\pikkubot\openmetaverse_data\eyebrows_alpha.tga
e:\pikkubot\openmetaverse_data\eyeliner_alpha.tga
e:\pikkubot\openmetaverse_data\eyeshadow_inner_alpha.tga
e:\pikkubot\openmetaverse_data\eyeshadow_outer_alpha.tga
e:\pikkubot\openmetaverse_data\eyewhite.tga
e:\pikkubot\openmetaverse_data\facehair_chincurtains_alpha.tga
e:\pikkubot\openmetaverse_data\facehair_moustache_alpha.tga
e:\pikkubot\openmetaverse_data\facehair_sideburns_alpha.tga
e:\pikkubot\openmetaverse_data\facehair_soulpatch_alpha.tga
e:\pikkubot\openmetaverse_data\freckles_alpha.tga
e:\pikkubot\openmetaverse_data\glove_length_alpha.tga
e:\pikkubot\openmetaverse_data\gloves_fingers_alpha.tga
e:\pikkubot\openmetaverse_data\head_alpha.tga
e:\pikkubot\openmetaverse_data\head_color.tga
e:\pikkubot\openmetaverse_data\head_hair.tga
e:\pikkubot\openmetaverse_data\head_highlights_alpha.tga
e:\pikkubot\openmetaverse_data\head_shading_alpha.tga
e:\pikkubot\openmetaverse_data\head_skingrain.tga
e:\pikkubot\openmetaverse_data\jacket_length_lower_alpha.tga
e:\pikkubot\openmetaverse_data\jacket_length_upper_alpha.tga
e:\pikkubot\openmetaverse_data\jacket_open_lower_alpha.tga
e:\pikkubot\openmetaverse_data\jacket_open_upper_alpha.tga
e:\pikkubot\openmetaverse_data\lipgloss_alpha.tga
e:\pikkubot\openmetaverse_data\lips_mask.tga
e:\pikkubot\openmetaverse_data\lipstick_alpha.tga
e:\pikkubot\openmetaverse_data\lowerbody_color.tga
e:\pikkubot\openmetaverse_data\lowerbody_highlights_alpha.tga
e:\pikkubot\openmetaverse_data\lowerbody_shading_alpha.tga
e:\pikkubot\openmetaverse_data\nailpolish_alpha.tga
e:\pikkubot\openmetaverse_data\pants_length_alpha.tga
e:\pikkubot\openmetaverse_data\pants_waist_alpha.tga
e:\pikkubot\openmetaverse_data\rosyface_alpha.tga
e:\pikkubot\openmetaverse_data\rouge_alpha.tga
e:\pikkubot\openmetaverse_data\shirt_bottom_alpha.tga
e:\pikkubot\openmetaverse_data\shirt_collar_alpha.tga
e:\pikkubot\openmetaverse_data\shirt_collar_back_alpha.tga
e:\pikkubot\openmetaverse_data\shirt_sleeve_alpha.tga
e:\pikkubot\openmetaverse_data\shoe_height_alpha.tga
e:\pikkubot\openmetaverse_data\skirt_length_alpha.tga
e:\pikkubot\openmetaverse_data\skirt_slit_back_alpha.tga
e:\pikkubot\openmetaverse_data\skirt_slit_front_alpha.tga
e:\pikkubot\openmetaverse_data\skirt_slit_left_alpha.tga
e:\pikkubot\openmetaverse_data\skirt_slit_right_alpha.tga
e:\pikkubot\openmetaverse_data\underpants_trial_female.tga
e:\pikkubot\openmetaverse_data\underpants_trial_male.tga
e:\pikkubot\openmetaverse_data\undershirt_trial_female.tga
e:\pikkubot\openmetaverse_data\upperbody_color.tga
e:\pikkubot\openmetaverse_data\upperbody_highlights_alpha.tga
e:\pikkubot\openmetaverse_data\upperbody_shading_alpha.tga
e:\pikkubot\openmetaverse_data\upperbodyfreckles_alpha.tga
e:\pikkubot\OpenMetaverseTypes.dll
e:\pikkubot\PikkuBot-Flutterby_Swallowtail.exe
e:\pikkubot\PikkuBot-Uninstall.exe
e:\pikkubot\PikkuBot.exe
e:\pikkubot\PikkuControl.exe
e:\pikkubot\PikkuHelper.exe
e:\pikkubot\PikkuStarter.exe
e:\pikkubot\PikkuTiny.exe
e:\pikkubot\PikkuTinyStarter.exe
e:\pikkubot\PikkuUpdater.exe
e:\pikkubot\PrimMesher.dll
e:\pikkubot\resource\boot.ico
e:\pikkubot\resource\dialog.wav
e:\pikkubot\resource\hinweis.ico
e:\pikkubot\resource\icon.ico
e:\pikkubot\resource\im.ico
e:\pikkubot\resource\im.wav
e:\pikkubot\resource\notnear.ico
e:\pikkubot\resource\online.wav
e:\pikkubot\resource\sitting.ico
e:\pikkubot\resource\standing.ico
e:\pikkubot\resource\Thumbs.db
e:\pikkubot\resource\title.jpg
e:\pikkubot\sqlite\linux\libopenjpeg-dotnet.so
e:\pikkubot\sqlite\linux\libsqlite3.so.0
e:\pikkubot\sqlite\linux\log4net.dll
e:\pikkubot\sqlite\linux\System.Data.SQLite.dll
e:\pikkubot\sqlite\pikkubot_v101.db
e:\pikkubot\sqlite\sqlite3.exe
e:\pikkubot\sqlite3.dll
e:\pikkubot\System.Data.SQLite.DLL
e:\pikkubot\textures\02c4eae7-b6a3-b4b0-44b0-b7b29d7f913f
e:\pikkubot\textures\093c662a-ec5d-931d-5259-4044c05e1512
e:\pikkubot\textures\1a81dda6-b7c9-90fe-d32a-125d8d91b59f
e:\pikkubot\textures\35ce2a8b-b287-64ae-7a89-f42132ced632
e:\pikkubot\textures\d6b4f048-8768-1246-fa0a-6735d5a770b1
e:\pikkubot\textures\e3cfd1cb-b98e-7c59-c6d7-653c9db9b786
e:\pikkubot\textures\ff55f527-3e0e-6ef7-e952-f566c19e9b5b
e:\pikkubot\TOS_0008.dat
e:\pikkubot\XMLRPC.dll

.
--------------- FCopy ---------------

c:\windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\kbdclass.sys --> c:\windows\System32\drivers\kbdclass.sys
.
(((((((((((((((((((((((((   Files Created from 2010-10-18 to 2010-11-18  )))))))))))))))))))))))))))))))
.

2010-11-18 03:26 . 2010-11-18 03:36    --------    d-----w-    c:\users\Nikki\AppData\Local\temp
2010-11-18 03:26 . 2010-11-18 03:26    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-11-18 03:26 . 2010-11-18 03:26    --------    d-----w-    c:\users\Default\AppData\Local\temp
2010-11-16 23:33 . 2010-11-16 23:33    388096    ----a-r-    c:\users\Nikki\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-15 23:54 . 2010-11-15 23:54    --------    d-----w-    c:\windows\system32\config\systemprofile\AppData\Local\Mozilla
2010-11-15 20:55 . 2010-10-27 06:13    553696    ----a-w-    c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-15 20:55 . 2010-10-27 06:13    25048    ----a-w-    c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-15 20:55 . 2010-10-27 06:13    140248    ----a-w-    c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-15 20:55 . 2010-10-27 06:13    66520    ----a-w-    c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-15 06:32 . 2010-11-15 06:58    --------    d-----w-    c:\programdata\FarmFrenzy3_Russia
2010-11-15 06:20 . 2010-11-15 06:20    --------    d-----w-    c:\program files\iPod
2010-11-15 06:20 . 2010-11-15 06:26    --------    d-----w-    c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 06:19 . 2010-11-15 06:19    --------    d-----w-    c:\program files\Apple Software Update
2010-11-15 06:14 . 2010-11-15 06:14    --------    d-----w-    c:\program files\Bonjour
2010-11-13 19:43 . 2010-11-13 19:43    --------    d-----w-    c:\programdata\Alwil Software
2010-11-13 10:06 . 2010-11-13 10:06    --------    d-----w-    c:\programdata\cerasus.media
2010-11-12 02:45 . 2010-11-12 02:45    --------    d-----w-    c:\users\Nikki\AppData\Roaming\Western Software Technologies
2010-11-12 02:26 . 2010-11-12 02:26    --------    d-----w-    c:\users\Nikki\AppData\Roaming\MagicIndie
2010-11-12 02:14 . 2010-11-12 02:14    --------    d-----w-    c:\users\Nikki\AppData\Roaming\Namco
2010-11-11 20:06 . 2010-11-11 20:06    --------    d-----w-    c:\users\Nikki\AppData\Local\IBAGroup
2010-11-06 23:58 . 2010-11-06 23:58    --------    d-----w-    c:\programdata\Funny Bear Studio
2010-11-05 01:25 . 2010-11-05 01:25    --------    d-----w-    c:\programdata\Reflexive
2010-11-04 22:12 . 2010-11-04 22:12    --------    d-----w-    c:\users\Nikki\AppData\Roaming\UNOUndercover
2010-10-26 11:03 . 2010-10-26 11:03    --------    d-----w-    C:\$AVG

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-14 01:00 . 2010-04-16 17:35    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2010-10-14 00:48 . 2010-10-14 00:45    359487442    ----a-w-    C:\regbackup.reg
2010-10-07 20:23 . 2010-10-07 20:23    91424    ----a-w-    c:\windows\system32\dnssd.dll
2010-10-07 20:23 . 2010-10-07 20:23    107808    ----a-w-    c:\windows\system32\dns-sd.exe
2010-09-13 13:56 . 2010-10-12 19:07    8147456    ----a-w-    c:\windows\system32\wmploc.DLL
2010-09-08 18:17 . 2010-09-08 18:17    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2010-09-06 16:20 . 2010-10-12 19:12    125952    ----a-w-    c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-12 19:12    17920    ----a-w-    c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-12 19:12    304128    ----a-w-    c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-12 19:12    145408    ----a-w-    c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-12 19:12    102400    ----a-w-    c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-12 19:09    954752    ----a-w-    c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-12 19:09    954288    ----a-w-    c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-12 18:49    531968    ----a-w-    c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-12 19:11    2038272    ----a-w-    c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-12 19:10    157184    ----a-w-    c:\windows\system32\t2embed.dll
2010-08-20 16:05 . 2010-10-12 18:54    867328    ----a-w-    c:\windows\system32\wmpmde.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521} ----

2010-11-15 06:26 . 2010-11-15 06:26    1942    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxInstallLog.txt
2009-06-03 17:32 . 2009-06-03 17:32    7994    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\gearaspiwdmx86.cat
2009-05-18 21:48 . 2009-05-18 21:48    2763    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\GEARAspiWDM.inf
2009-05-18 21:17 . 2009-05-18 21:17    26600    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspiWDM.sys
2009-02-04 21:56 . 2009-02-04 21:56    75112    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
2008-04-17 20:12 . 2008-04-17 20:12    107368    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspi.dll
2006-11-02 14:21 . 2006-11-02 14:21    319456    ----a-w-    c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxAPI.dll

---- Directory of c:\progra~2\Alwil Software ----

2010-11-14 08:53 . 2010-11-14 08:53    146    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\error.log
2010-11-13 20:56 . 2010-11-13 20:56    11784    ----a-w-    c:\progra~2\Alwil Software\Avast5\chest\00000001
2010-11-13 20:16 . 2010-11-14 20:09    33360    ----a-w-    c:\progra~2\Alwil Software\Avast5\db1c90661e7570a66-f4f4c034.dat
2010-11-13 20:16 . 2010-11-14 20:09    4728    ----a-w-    c:\progra~2\Alwil Software\Avast5\db1c9103380eb0bbc-eafbcee6.dat
2010-11-13 19:54 . 2010-11-14 20:09    72316    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\aswAr.log
2010-11-13 19:49 . 2010-11-14 20:03    611220    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\usntr.log
2010-11-13 19:46 . 2010-11-14 20:09    1355    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\AshWebSv.ws
2010-11-13 19:46 . 2010-11-13 21:35    1898    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\Mail.log
2010-11-13 19:46 . 2010-11-13 20:56    492    ----a-w-    c:\progra~2\Alwil Software\Avast5\chest\index.xml
2010-11-13 19:46 . 2010-11-14 20:09    283    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\Chest.log
2010-11-13 19:46 . 2010-11-14 19:52    672    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\WebShield.txt
2010-11-13 19:46 . 2010-11-14 19:52    672    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\FileSystemShield.txt
2010-11-13 19:46 . 2010-11-14 19:52    671    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\P2PShield.txt
2010-11-13 19:46 . 2010-11-14 19:52    672    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\NetworkShield.txt
2010-11-13 19:46 . 2010-11-14 19:52    672    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\IMShield.txt
2010-11-13 19:46 . 2010-11-13 21:35    254    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\EmailShield.txt
2010-11-13 19:46 . 2010-11-14 19:52    672    ----a-w-    c:\progra~2\Alwil Software\Avast5\report\BehaviorShield.txt
2010-11-13 19:46 . 2010-11-14 20:09    30720    ----a-w-    c:\progra~2\Alwil Software\Avast5\Log.db
2010-11-13 19:46 . 2010-11-13 19:46    0    ----a-w-    c:\progra~2\Alwil Software\Avast5\aswResp.dat
2010-11-13 19:46 . 2010-11-14 18:13    3780    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\nshield.log
2010-11-13 19:46 . 2010-11-13 19:46    358    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\selfdef.log
2010-11-13 19:46 . 2010-11-14 20:02    591342    ----a-w-    c:\progra~2\Alwil Software\Avast5\log\Setup.log
2010-11-13 19:44 . 2010-09-07 15:24    1981    ----a-w-    c:\progra~2\Alwil Software\Avast5\HtmlData\Blocked.htm
2010-11-13 19:44 . 2010-09-07 15:24    12039    ----a-w-    c:\progra~2\Alwil Software\Avast5\HtmlData\image001.png
2010-11-13 19:44 . 2010-09-07 15:24    56488    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\pup_detected.wav
2010-11-13 19:44 . 2010-09-07 15:24    44162    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\scan_completed.wav
2010-11-13 19:44 . 2010-09-07 15:24    43826    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\suspicious_detected.wav
2010-11-13 19:44 . 2010-09-07 15:24    43272    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\threat_detected.wav
2010-11-13 19:44 . 2010-09-07 15:24    45162    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\virus_db_updated.wav
2010-11-13 19:44 . 2010-09-07 15:24    21264    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\1033\welcome.wav
2010-11-13 19:44 . 2010-09-07 15:24    24164    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\fw_question.wav
2010-11-13 19:44 . 2010-09-07 15:24    24654    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\scan_completed.wav
2010-11-13 19:44 . 2010-09-07 15:24    21178    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\threat_detected.wav
2010-11-13 19:44 . 2010-09-07 15:24    12992    ----a-w-    c:\progra~2\Alwil Software\Avast5\sounds\virus_db_updated.wav

---- Directory of c:\progra~2\cerasus.media ----


---- Directory of c:\progra~2\FarmFrenzy3_Russia ----

2010-11-15 06:58 . 2010-11-15 06:58    360    ----a-w-    c:\progra~2\FarmFrenzy3_Russia\sys\settings.xml
2010-11-15 06:58 . 2010-11-15 06:58    30460    ----a-w-    c:\progra~2\FarmFrenzy3_Russia\profiles\00000001.xml
2010-11-15 06:58 . 2010-11-15 06:58    5332    ----a-w-    c:\progra~2\FarmFrenzy3_Russia\besttimes.xml
2010-11-15 06:33 . 2010-11-15 06:58    284    ----a-w-    c:\progra~2\FarmFrenzy3_Russia\profiles\profiles.xml


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-09 451896]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:"

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-25 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2960264855-3727281212-3489713650-1000]
"EnableNotificationsRef"=dword:00000001

R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-02-03 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\DRIVERS\SndTVideo.sys [2009-02-03 3768]
R3 vsdatant7;vsdatant7;c:\windows\system32\drivers\vsdatant.win7.sys
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2009-07-23 81920]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2009-07-23 2736128]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{BEAFF61F-CE39-47DF-A7FA-AAAFE5EBEF17}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
IE: &SHOUTcast Search - c:\programdata\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - e:\micros~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Nikki\AppData\Roaming\Mozilla\Firefox\Profiles\sg942z11.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://urlseek.vmn.net/search.php?type=dns&tbn=vidtomp3dn&q=
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\users\Nikki\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: e:\java\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\java\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-PikkuBot - e:\pikkubot\PikkuBot-Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 19:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2960264855-3727281212-3489713650-1000\Software\SecuROM\License information*]
"datasecu"=hex:fc,b0,33,50,3b,0f,40,9f,ae,63,8c,b7,59,21,21,ae,8a,20,01,92,88,
   cb,47,5f,43,de,a4,7b,a5,d3,16,23,55,82,13,2b,c3,f9,e0,e6,d1,82,52,f7,5d,d0,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2972)
c:\program files\RocketDock\RocketDock.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\conime.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-11-17  19:44:05 - machine was rebooted
ComboFix-quarantined-files.txt  2010-11-18 03:44
ComboFix2.txt  2010-11-17 20:55

Pre-Run: 16,424,689,664 bytes free
Post-Run: 16,271,794,176 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=55 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55
- - End Of File - - D9AAE42BEBF478D85D884E9C4CEDF028

 

And here is the Mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5142

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

11/17/2010 8:18:18 PM
mbam-log-2010-11-17 (20-18-18).txt

Scan type: Quick scan
Objects scanned: 148914
Time elapsed: 11 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0 Kudos
Highlighted
1972vet
5 Tungsten

Re: code 80073EFE and browser hijacking

Good work! Aside from the old AVG folder, which can go...you can delete it if you want to, everything looks fine. How's it behaving for you now?

Disabled Veteran, U.S.C.G. 1972 - 1978
[IMG]http://i72.photobucket.com/albums/i183/1972vet/mvpsigpic.jpg[/IMG]
Member: [url=http://www.uniteagainstmalware.com/]U.N.I.T.E.[/url], [url=http://asap.maddoktor2.com/]A.S.A.P.[/url]

[url=http://www.microsoft.com/windowsxp/using/setup/maintain/improveperf.mspx]Windows XP Performance and Maintenance[/url]
[url=http://windowshelp.microsoft.com/Windows/en-US/maintenance.mspx]Windows Vista Performance and Maintenance[/url]
[url=http://www.microsoft.com/atwork/maintenance/speed.aspx]Windows 7 Performance and Maintenance[/url]

0 Kudos