Review of Hijackthis Log file

Mark Marquez
Mark Marquez used Ask the Experts™
on
Can someone please look at my HJT log file and direct me on what to emilinate.  I have been having browser redirect problems with both Firefox and IE. ACERhijackthis.log
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sure, post it and we'll give it a try

Commented:
Post it here
O23 - Service: a7c7c2d8ff2412c0f5382efb4f7d9b1fsa (bcdacccfbbdadf) - Unknown owner - C:\WINDOWS\bcdacccfbbdadf.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{310FF38D-A2D7-47D4-BD21-5200534B83C1}: NameServer = 68.105.28.12,68.105.28.11
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

All of these appear to be infections of some type
Sorry, got a little too happy with my copy/paste; These should be fine:

O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Commented:
These all seems related to Asian characters translation.
You coudl attach files directly to your post here. See the attachment sign below the comment frame.

Commented:
The only suspect record I can see is:

O23 - Service: a7c7c2d8ff2412c0f5382efb4f7d9b1fsa (bcdacccfbbdadf) - Unknown owner -
C:\WINDOWS\bcdacccfbbdadf.exe

If you recently updated Internet Explorer probably it changed your default page and search engine to some MS links. You could change back this by yourself.
Top Expert 2009

Commented:
If you are getting redirects try TdssKiller
http://support.kaspersky.com/viruses/solutions?qid=208280684

If still ahving issue run Combofix and post logfile here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Author

Commented:
I deleted per Darksquire post.  Restarted PC.  still happening with IE but Firefox appears to be working?
Ran HJT again.  WIll try TdssKiller per optoma's post.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:01 AM, on 7/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\F-Secure Internet Security\Common\FSHDLL32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Content Manager\CmTray.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wired.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Norton Ghost 15.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Magellan CmTray] C:\Program Files\Content Manager\CmTray.exe
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/62.06/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://sslvpn.demo.sonicwall.com/msrdp.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/AbacastClient2.0.20.3.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{310FF38D-A2D7-47D4-BD21-5200534B83C1}: NameServer = 68.105.28.12,68.105.28.11
O23 - Service: a7c7c2d8ff2412c0f5382efb4f7d9b1fsa (bcdacccfbbdadf) - Unknown owner - C:\WINDOWS\bcdacccfbbdadf.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: GenericMount Helper Service - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: LabSim Configuration and Security (OrbisClient.Services) - Unknown owner - C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe

--
End of file - 8043 bytes

Author

Commented:
Per optoma, I ran both TdssKiller and ComboFix. TdssKiller found nothing-came up clean.

ComboFix appears to have corrected the redirect issue. Thank you everyone.

here is the combofix log:
 
*Changed to Code Snippet by rpggamergirl, ZAPE*

ComboFix 10-06-30.03 - Mark Marquez 07/01/2010 8:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.457 [GMT -7:00]
Running from: c:\documents and settings\Mark Marquez\Desktop\ComboFix.exe
AV: F-Secure Anti-Virus 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark Marquez\g2mdlhlpx.exe
c:\windows\bcdacccfbbdadf.exe
c:\windows\system32\bcdacccfbbdadf.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\snetcfg.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bcdacccfbbdadf
-------\Service_bcdacccfbbdadf


((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 15:22 . 2010-07-01 15:23 -------- d-----w- C:\tdsskiller
2010-07-01 13:12 . 2010-07-01 13:12 -------- d-----w- c:\program files\Trend Micro
2010-06-30 10:56 . 2010-06-30 10:56 80896 ----a-w- c:\windows\system32\ffaa.sys
2010-06-24 10:49 . 2010-07-01 16:02 171000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-21 19:16 . 2010-06-21 19:16 85504 ----a-w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab
2010-06-19 14:39 . 2010-01-25 18:58 462848 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-06-19 14:39 . 2010-01-15 21:25 864256 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-06-19 14:39 . 2010-01-15 21:25 372736 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-06-19 14:39 . 2010-06-01 18:44 3907584 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-06-19 14:39 . 2010-01-15 21:26 70984 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-06-19 14:39 . 2010-01-15 21:25 315392 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-06-17 20:26 . 2010-06-17 20:26 50354 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\uninstall.exe
2010-06-17 20:26 . 2010-06-17 20:26 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\Facebook
2010-06-11 05:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 -c--a-w- c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 07:02 . 2007-02-01 21:10 -------- d-----w- c:\program files\DynDNS Updater
2010-06-25 17:40 . 2007-02-02 22:24 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\AdobeUM
2010-06-24 16:23 . 2010-03-04 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-06-22 22:16 . 2007-02-01 19:58 106496 ----a-w- c:\windows\DUMP3a98.tmp
2010-06-21 17:05 . 2008-09-03 17:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-10 22:02 . 2008-07-07 05:05 -------- d-----w- c:\program files\FLV Player
2010-06-08 13:57 . 2010-03-15 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 13:57 . 2009-12-17 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 17:20 . 2009-09-02 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TestOut
2010-05-25 19:51 . 2010-05-25 19:51 503808 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcp71.dll
2010-05-25 19:51 . 2010-05-25 19:51 499712 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\jmc.dll
2010-05-25 19:51 . 2010-05-25 19:51 12800 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-d3d.dll
2010-05-25 19:51 . 2010-05-25 19:51 61440 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-sse.dll
2010-05-25 19:51 . 2010-05-25 19:51 348160 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcr71.dll
2010-05-23 04:57 . 2010-05-23 04:54 -------- d-----w- c:\program files\Content Manager
2010-05-23 04:54 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 10:41 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2005-10-06 00:06 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-15 22:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-15 22:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:30 . 2008-02-14 17:15 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-20 05:51 . 2004-08-04 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 22:08 . 2010-04-16 22:08 503808 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcp71.dll
2010-04-16 22:08 . 2010-04-16 22:08 499712 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\jmc.dll
2010-04-16 22:08 . 2010-04-16 22:08 348160 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcr71.dll
2010-04-16 22:08 . 2010-04-16 22:08 61440 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-sse.dll
2010-04-16 22:08 . 2010-04-16 22:08 12800 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-d3d.dll
2010-04-13 00:29 . 2010-04-16 22:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-05-14 21:29 . 2009-10-21 17:29 8520 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-05-03 09:06 . 2009-09-21 15:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-21 15:06 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-21 15:06 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-17 1352704]
"Magellan CmTray"="c:\program files\Content Manager\CmTray.exe" [2010-02-12 446464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-22 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-22 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-22 81920]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-10-02 2596712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-2-1 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Marquez^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-07-13 23:01 169264 -c--a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"Maxtor Sync Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SymSnapService"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"bfccaaaccfcaab"=2 (0x2)
"bcdacccfbbdadf"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/8/2009 2:41 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [12/10/2008 6:34 AM 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [10/8/2009 2:40 PM 68064]
R1 ffaa;ffaa;c:\windows\system32\ffaa.sys [6/30/2010 3:56 AM 80896]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [3/23/2010 2:32 PM 14336]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [12/10/2008 6:34 AM 111296]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [10/8/2009 2:40 PM 55992]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 9:26 PM 46192]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 9:25 PM 1571336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/25/2007 2:31 PM 19640]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/3/2004 10:00 PM 5120]
S4 bfccaaaccfcaab;a7c7c2d8ff2412c0f5382efb4f7d9b1fsv;c:\windows\bfccaaaccfcaab.exe /s --> c:\windows\bfccaaaccfcaab.exe [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [12/10/2008 6:34 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [12/10/2008 6:34 AM 25184]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 9:19 PM 1964528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UBHELPER
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\Mark's My Docs Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 05:00]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{6863240A-8EF2-4C51-A0C3-591E389CB587}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wired.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Trusted Zone: itsupport247.net\control
TCP: {310FF38D-A2D7-47D4-BD21-5200534B83C1} = 68.105.28.12,68.105.28.11
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/62.06/uploader2.cab
FF - ProfilePath - c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-eRecoveryService - c:\acer\Empowering Technology\eRecovery\eRAgent.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0340D5E0-CAA9-364B-65E7-7E3776A898C5}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="EECB5FE2A9753D080D289CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933A9C6AECB7A5D1407590896AD27A6AA844B2B886D3666947944DABC39F7A31FD407C7C7EB0ECF5E16D46AF0998573362AB6C276BF3BF47C67052BA20914ED7E194CAEAE210B92C8997E01F8917FA9C57B70748BBCE78FA845AC8DE9D8C44FAABC159F3D8769C717BECEFBC4F41865A9AA8630190BE46237DE8154C33872A3AE437BEA223A7A9CE15F564D1D07A3C3A58920A8A53AAB9CB820DC14129E5F4C0852AC273EB864C134FBB8A97FED4E68F112F3D5EB388CF133192C25EC631EAEA9326DAB23E39DEC0D362C0C9DB89379B9DE4DF1DA5A291A1FFE6F22A0C517B1795311171C83F2D95F567DB35D5347229E2F0E7C945A7851692BBD6BAB6506C250C50449A541074312C58AA058120D1034E8AA39F0D1C557731ABE2641C979537D40C3E8EDAACC6D7F95C69B5CACDFF601922AAD7742AFEE11ECB0BACADA5656C19CE2DE5BB38E9CF775BA2CE8BE0D0E035829276A9029DF8C69E4D3E0E5D5C6D4D786D60632681ABDBE80A1B6C7370E298A59B2B80677F5A276BFE2D61C009FDF15E9C33B604BB408EA478E2C2A53B6D61CFCA40CCC37818422BB9AAC94B7610099DBD87ADCFBBD821B52C869AE2B4B66A66D94BC7757D4561E65F41C473091484F3E9178A9920ACA0FFAE9BDFE5D11A1E317DC59F718C8323DDDAD8F1270B83F4407A81DAD7D74F4B0295130AC5B544AB4F89BA6A913B825FADAC3A73754E25D2B41A186B27BD908885E9FF8A86962129DA93797463204AE7125FBB5D98CA191D7093F84E7A21CFE472E3C87CC238D24464F53DAEF330E46641BDEC3051C08BEC6130D1CDE5A20483F3E50FC53F62E9979A65DCBAA2A40D2B6ACB80DA55AB0B993A4D6838F6151C7E5CACAACDBA41E832901827EDE7D033272DF98008EF4B64C02982EAA52471CD358235EA269C13B666642B8B8D8E7C9B4C34ED34072693CB575DBE7AF67F07237D4AA7F1B633A693B6C6135F5C8F685217AA481256D8CE427FAF21DE7EE97C9313D58E988954A8EEA156B72E3C28F2EAE0EA3FEBB7A8659C63FF1ABDAF1489BF599B61A8FAE059558608232E440E7C00C17A1EBC17DD1C52F1304B3C758E1662B9466540A43CE6C56F157748F9C0A3CD850882CAB3A40DC6D6CE71B9BF21CAA6DFC1A9C05C9E007AD13B5832F1954A3AA1CD368205973D004676F0BFDF2FCEEC94619BEC21ECBDB99AE7867C15A7B7E0AFE940CFB6AE45C68BF007046EEE23C44853FC7B8806FE44AD48EF17967845AF4A172C74EDD5FBA065815FC00E07E2153777A8A10120121633AFD35BD2DCB44DBD2A48FDA8882ACB9B7BC246DA6542FE2FACF9D275C0B"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(596)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\program files\f-secure internet security\hips\fshook32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\F-Secure Internet Security\Common\FSHDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsav32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-07-01 09:13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-01 16:13

Pre-Run: 4,051,984,384 bytes free
Post-Run: 4,220,321,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CBF11FDAC833CE27A9281AB6E8818D08

Open in new window

ComboFix.txt

Author

Commented:
Still having redirect issues in both firefox and IE
Top Expert 2009

Commented:
Hi.
Check these files out at virustotal and post back link with results. May or may not be bad.

c:\windows\system32\ffaa.sys
c:\windows\bfccaaaccfcaab.exe
Top Expert 2007
Commented:

c:\windows\system32\ffaa.sys <-- this file has already been deleted, just the service left.

Run Combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\bfccaaaccfcaab.exe

Driver::
bfccaaaccfcaab
ffaa

RegNull::
[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0340D5E0-CAA9-364B-65E7-7E3776A898C5}*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 

There's an article for Google search Hijackers here.
"Google Hijack" - Google Search gets redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html#discussion

Author

Commented:
rpggamergirl file appears to have corrected the google redirect issue. Below is the recent ComboFix log file.

*Changed to Code Snippet, rpggamergirl, ZAPE*

ComboFix 10-07-01.02 - Mark Marquez 07/01/2010 15:38:13.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.554 [GMT -7:00]
Running from: c:\documents and settings\Mark Marquez\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Marquez\Desktop\CFScript.txt
AV: F-Secure Anti-Virus 2010 10.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\bfccaaaccfcaab.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BFCCAAACCFCAAB
-------\Legacy_FFAA
-------\Service_bfccaaaccfcaab
-------\Service_ffaa


((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 15:22 . 2010-07-01 15:23 -------- d-----w- C:\tdsskiller
2010-07-01 13:12 . 2010-07-01 13:12 -------- d-----w- c:\program files\Trend Micro
2010-06-30 10:56 . 2010-06-30 10:56 80896 ----a-w- c:\windows\system32\ffaa.sys
2010-06-24 10:49 . 2010-07-01 22:46 171000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-21 19:16 . 2010-06-21 19:16 85504 ----a-w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab
2010-06-19 14:39 . 2010-01-25 18:58 462848 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-06-19 14:39 . 2010-01-15 21:25 864256 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-06-19 14:39 . 2010-01-15 21:25 372736 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-06-19 14:39 . 2010-06-01 18:44 3907584 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-06-19 14:39 . 2010-01-15 21:26 70984 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-06-19 14:39 . 2010-01-15 21:25 315392 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-06-17 20:26 . 2010-06-17 20:26 50354 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\uninstall.exe
2010-06-17 20:26 . 2010-06-17 20:26 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\Facebook
2010-06-11 05:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 -c--a-w- c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 07:02 . 2007-02-01 21:10 -------- d-----w- c:\program files\DynDNS Updater
2010-06-25 17:40 . 2007-02-02 22:24 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\AdobeUM
2010-06-24 16:23 . 2010-03-04 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-06-22 22:16 . 2007-02-01 19:58 106496 -c--a-w- c:\windows\DUMP3a98.tmp
2010-06-21 17:05 . 2008-09-03 17:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-10 22:02 . 2008-07-07 05:05 -------- d-----w- c:\program files\FLV Player
2010-06-08 13:57 . 2010-03-15 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 13:57 . 2009-12-17 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 17:20 . 2009-09-02 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TestOut
2010-05-25 19:51 . 2010-05-25 19:51 503808 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcp71.dll
2010-05-25 19:51 . 2010-05-25 19:51 499712 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\jmc.dll
2010-05-25 19:51 . 2010-05-25 19:51 12800 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-d3d.dll
2010-05-25 19:51 . 2010-05-25 19:51 61440 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-sse.dll
2010-05-25 19:51 . 2010-05-25 19:51 348160 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcr71.dll
2010-05-23 04:57 . 2010-05-23 04:54 -------- d-----w- c:\program files\Content Manager
2010-05-23 04:54 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 10:41 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2005-10-06 00:06 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-15 22:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-15 22:18 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:30 . 2008-02-14 17:15 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-20 05:51 . 2004-08-04 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 22:08 . 2010-04-16 22:08 503808 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcp71.dll
2010-04-16 22:08 . 2010-04-16 22:08 499712 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\jmc.dll
2010-04-16 22:08 . 2010-04-16 22:08 348160 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcr71.dll
2010-04-16 22:08 . 2010-04-16 22:08 61440 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-sse.dll
2010-04-16 22:08 . 2010-04-16 22:08 12800 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-d3d.dll
2010-04-13 00:29 . 2010-04-16 22:08 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2009-05-14 21:29 . 2009-10-21 17:29 8520 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-05-03 09:06 . 2009-09-21 15:06 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-21 15:06 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-21 15:06 216064 -csh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-01_16.07.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-01 22:47 . 2010-07-01 22:47 16384 c:\windows\temp\Perflib_Perfdata_590.dat
+ 2008-12-15 18:37 . 2010-07-01 22:48 212174 c:\windows\system32\inetsrv\MetaBase.bin
+ 2004-08-04 05:00 . 2006-11-07 08:06 600576 c:\windows\system32\dllcache\mstsc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-17 1352704]
"Magellan CmTray"="c:\program files\Content Manager\CmTray.exe" [2010-02-12 446464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-22 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-22 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-22 81920]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2009-07-09 199264]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2009-07-09 2349664]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-10-02 2596712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-2-1 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Marquez^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-07-13 23:01 169264 -c--a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"Maxtor Sync Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SymSnapService"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"bfccaaaccfcaab"=2 (0x2)
"bcdacccfbbdadf"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=
"c:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [10/8/2009 2:41 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [12/10/2008 6:34 AM 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [10/8/2009 2:40 PM 68064]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [3/23/2010 2:32 PM 14336]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [12/10/2008 6:34 AM 111296]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 9:26 PM 46192]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [10/8/2009 2:40 PM 55992]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 9:25 PM 1571336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/25/2007 2:31 PM 19640]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/3/2004 10:00 PM 5120]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [12/10/2008 6:34 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [12/10/2008 6:34 AM 25184]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 9:19 PM 1964528]
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\Mark's My Docs Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 05:00]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{6863240A-8EF2-4C51-A0C3-591E389CB587}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Trusted Zone: itsupport247.net\control
TCP: {310FF38D-A2D7-47D4-BD21-5200534B83C1} = 68.105.28.12,68.105.28.11
FF - ProfilePath - c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(588)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\f-secure internet security\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(2056)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\F-Secure Internet Security\Common\FSLAUNCHER0.EXE
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-07-01 16:02:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-01 23:02
ComboFix2.txt 2010-07-01 19:58
ComboFix3.txt 2010-07-01 16:13

Pre-Run: 5,886,967,808 bytes free
Post-Run: 5,840,760,832 bytes free

- - End Of File - - 5282C01266B2F6F49CE55C1F1A6C34BE

Open in new window

Top Expert 2007

Commented:
Good that the redirect has stopped.
c:\windows\system32\ffaa.sys
Sorry, this file seem to still exist in there but the relevant service is gone.
 
Run combofix again using this script to remove that file, and reg values
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\ffaa.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"bfccaaaccfcaab"=-
"bcdacccfbbdadf"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Author

Commented:
OK, hopfully, it's gone. Thanks.
 
*Changed to Code Snippet, rpggamergirl, ZAPE*

ComboFix 10-07-01.02 - Mark Marquez 07/01/2010 19:53:07.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.468 [GMT -7:00]
Running from: c:\documents and settings\Mark Marquez\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Marquez\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\system32\ffaa.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ffaa.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-07-01 15:22 . 2010-07-01 15:23 -------- d-----w- C:\tdsskiller
2010-07-01 13:12 . 2010-07-01 13:12 -------- d-----w- c:\program files\Trend Micro
2010-06-24 10:49 . 2010-07-02 03:01 171000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-21 19:16 . 2010-06-21 19:16 85504 ----a-w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab
2010-06-19 14:39 . 2010-01-25 18:58 462848 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-06-19 14:39 . 2010-01-15 21:25 864256 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-06-19 14:39 . 2010-01-15 21:25 372736 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-06-19 14:39 . 2010-06-01 18:44 3907584 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-06-19 14:39 . 2010-01-15 21:26 70984 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-06-19 14:39 . 2010-01-15 21:25 315392 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-06-17 20:26 . 2010-06-17 20:26 50354 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\uninstall.exe
2010-06-17 20:26 . 2010-06-17 20:26 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\Facebook
2010-06-11 05:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 -c--a-w- c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 03:42 . 2010-07-01 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-02 00:01 . 2010-07-02 00:01 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-02 00:01 . 2010-07-02 00:01 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-02 00:01 . 2010-07-02 00:01 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-02 00:01 . 2010-07-02 00:01 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-02 00:01 . 2010-07-01 23:31 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-02 00:01 . 2010-07-01 23:31 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-02 00:01 . 2010-07-02 00:01 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-02 00:01 . 2010-07-02 00:01 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-02 00:01 . 2010-07-02 00:01 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-02 00:01 . 2010-07-02 00:01 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-01 23:30 . 2010-07-01 23:30 -------- d-----w- c:\program files\Kaspersky Lab
2010-07-01 23:17 . 2008-12-10 13:34 -------- d-----w- c:\program files\F-Secure Internet Security
2010-07-01 23:10 . 2008-12-10 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-01 07:02 . 2007-02-01 21:10 -------- d-----w- c:\program files\DynDNS Updater
2010-06-25 17:40 . 2007-02-02 22:24 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\AdobeUM
2010-06-24 16:23 . 2010-03-04 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-06-22 22:16 . 2007-02-01 19:58 106496 -c--a-w- c:\windows\DUMP3a98.tmp
2010-06-21 17:05 . 2008-09-03 17:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-10 22:02 . 2008-07-07 05:05 -------- d-----w- c:\program files\FLV Player
2010-06-08 13:57 . 2010-03-15 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 13:57 . 2009-12-17 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 17:20 . 2009-09-02 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TestOut
2010-05-25 19:51 . 2010-05-25 19:51 503808 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcp71.dll
2010-05-25 19:51 . 2010-05-25 19:51 499712 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\jmc.dll
2010-05-25 19:51 . 2010-05-25 19:51 12800 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-d3d.dll
2010-05-25 19:51 . 2010-05-25 19:51 61440 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-sse.dll
2010-05-25 19:51 . 2010-05-25 19:51 348160 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcr71.dll
2010-05-23 04:57 . 2010-05-23 04:54 -------- d-----w- c:\program files\Content Manager
2010-05-23 04:54 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 10:41 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2005-10-06 00:06 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-15 22:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-15 22:18 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:30 . 2008-02-14 17:15 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-20 05:51 . 2004-08-04 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 22:08 . 2010-04-16 22:08 503808 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcp71.dll
2010-04-16 22:08 . 2010-04-16 22:08 499712 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\jmc.dll
2010-04-16 22:08 . 2010-04-16 22:08 348160 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcr71.dll
2010-04-16 22:08 . 2010-04-16 22:08 61440 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-sse.dll
2010-04-16 22:08 . 2010-04-16 22:08 12800 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-d3d.dll
2010-04-13 00:29 . 2010-04-16 22:08 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2009-05-14 21:29 . 2009-10-21 17:29 8520 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-05-03 09:06 . 2009-09-21 15:06 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-21 15:06 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-21 15:06 216064 -csh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-01_16.07.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-02 03:03 . 2010-07-02 03:03 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
+ 2006-07-20 02:06 . 2010-07-01 23:10 87398 c:\windows\system32\perfc009.dat
+ 2009-09-10 02:01 . 2009-09-10 02:01 27675 c:\windows\system32\drivers\klopp.dat
+ 2009-10-03 02:39 . 2009-10-03 02:39 19472 c:\windows\system32\drivers\klmouflt.sys
+ 2009-09-14 21:42 . 2009-09-14 21:42 32272 c:\windows\system32\drivers\klim5.sys
+ 2009-10-15 04:18 . 2009-10-15 04:18 36880 c:\windows\system32\drivers\klbg.sys
+ 2007-02-01 20:00 . 2010-07-02 03:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-01 20:00 . 2010-07-02 03:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-02 01:37 . 2010-07-02 03:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-07-20 02:06 . 2010-07-01 23:10 496400 c:\windows\system32\perfh009.dat
+ 2009-10-21 03:34 . 2009-10-21 03:34 219664 c:\windows\system32\klogon.dll
+ 2008-12-15 18:37 . 2010-07-02 03:04 212171 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-07-01 23:30 . 2010-07-02 00:01 315408 c:\windows\system32\drivers\klif.sys
+ 2009-09-01 22:29 . 2009-09-01 22:29 128016 c:\windows\system32\drivers\kl1.sys
+ 2004-08-04 05:00 . 2006-11-07 08:06 600576 c:\windows\system32\dllcache\mstsc.exe
+ 2010-07-01 23:36 . 2010-07-01 23:36 3400704 c:\windows\Installer\c13ab.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-17 1352704]
"Magellan CmTray"="c:\program files\Content Manager\CmTray.exe" [2010-02-12 446464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-22 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-22 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-22 81920]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-10-02 2596712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-2-1 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Marquez^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-07-13 23:01 169264 -c--a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"Maxtor Sync Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SymSnapService"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [3/23/2010 2:32 PM 14336]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 9:26 PM 46192]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 9:25 PM 1571336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/25/2007 2:31 PM 19640]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/3/2004 10:00 PM 5120]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 9:19 PM 1964528]
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\Mark's My Docs Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 05:00]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{6863240A-8EF2-4C51-A0C3-591E389CB587}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: itsupport247.net\control
TCP: {310FF38D-A2D7-47D4-BD21-5200534B83C1} = 68.105.28.12,68.105.28.11
FF - ProfilePath - c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-07-01 20:46:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-02 03:46
ComboFix2.txt 2010-07-01 23:02
ComboFix3.txt 2010-07-01 19:58
ComboFix4.txt 2010-07-01 16:13

Pre-Run: 5,665,918,976 bytes free
Post-Run: 5,744,947,200 bytes free

- - End Of File - - 8A554DE08BF7EB4D4D6A538131C9BECF

Open in new window

Top Expert 2007

Commented:
Yes, the file is gone.

Just one more thing, I noticed Kaspersky antivirus files/drivers in the log, you must've installed it at some stage and I assume those are just remnants since you're using F-Secure internet Security.

You can remove those files/folder/services manually or we can also let ComboFix take care of those with a script.

Author

Commented:
Actually, I uninstalled f-secure and downloaded and installed Kaspersky.  A script would be great!

Thank you!
Top Expert 2007

Commented:
>>>"Actually, I uninstalled f-secure and downloaded and installed Kaspersky. A script would be great!"<<<

Oh I see, sorry, what I saw from the Hijackthis log's running processes was F-Secure, ooops, :)

Okay here's the script to remove F-Secure's redundant folders.
F-Secure uninstalled cleaner than most scanners, just folders and entry in Security centre left behind. Some scanners also leave redundant services behind.

If you prefer, instead of running ComboFix again you can delete those 2 folders yourself manually and to remove the redundant entry from the security centre is shown in my article:

Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/A_2088.html



OR, just run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
c:\program files\F-Secure Internet Security
c:\documents and settings\All Users\Application Data\F-Secure

SecCenter::
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
------------------------------------------------------------------------
3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Author

Commented:
rpggamergirl,

Thank you for all of your help.
It's very appreciated.
 
*CF log changed to Code Snippet by rpggamergirl, ZAPE*

ComboFix 10-07-01.02 - Mark Marquez 07/02/2010 10:25:47.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.360 [GMT -7:00]
Running from: c:\documents and settings\Mark Marquez\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Marquez\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\F-Secure
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_revoke_hq.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\acl\fsc_root.acl
c:\documents and settings\All Users\Application Data\F-Secure\Daas2\cert\fsc (revoke hq).crl
c:\documents and settings\All Users\Application Data\F-Secure\logs\custom\custinstall.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\DAAS2INS.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\DAAS2\Daas2Uni.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSAV\Users\removal.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSFW\action.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\FSMA\fsma_old.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\fstnb\POSTINSTALL.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\HIPS\hips_install.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\HIPS\hips_uninstall.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\ilaunchr.log
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\ORSPINST.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\OrspUnin.LOG
c:\documents and settings\All Users\Application Data\F-Secure\logs\ORSP Client\orspupd.log
c:\documents and settings\All Users\Application Data\F-Secure\setup\ih8.cfg
c:\program files\F-Secure Internet Security
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\02@corp.mf
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\02@corp.ref
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fm4av.dll
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\FS@corp.ini
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fsav.cr
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fsgk32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fships.dll
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fshive.dll
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fssm32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\fsuss.dll
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\scanningplatform_900.ini
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\scanningplatform_900.mf
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\upd_fsav32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\upd_fsgk.sys
c:\program files\F-Secure Internet Security\Anti-Virus\dbbackup\fsgkhs\upd_fsgk_x64.sys
c:\program files\F-Secure Internet Security\Anti-Virus\fa_gem.log
c:\program files\F-Secure Internet Security\Anti-Virus\fa_peg.log
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st_update.log
c:\program files\F-Secure Internet Security\Anti-Virus\fshive.dll
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32wl.cfg
c:\program files\F-Secure Internet Security\Anti-Virus\scanningplatform_900.ini
c:\program files\F-Secure Internet Security\Anti-Virus\scanningplatform_900.mf
c:\program files\F-Secure Internet Security\Anti-Virus\upd_fsgk_x64.sys
c:\program files\F-Secure Internet Security\Anti-Virus\updcfg.dll
c:\program files\F-Secure Internet Security\Anti-Virus\updgkh.log
c:\program files\F-Secure Internet Security\Common\daas2_cdsa.cr
c:\program files\F-Secure Internet Security\config.xml.IS2007_Customization
c:\program files\F-Secure Internet Security\config.xml.P00000303
c:\program files\F-Secure Internet Security\config.xml.P00000303.fssg
c:\program files\F-Secure Internet Security\FSGUI\POSTINSTALL.apilog
c:\program files\F-Secure Internet Security\fssg.xml.P00000303
c:\program files\F-Secure Internet Security\hotfix.xml
c:\program files\F-Secure Internet Security\ih8.cfg

.
((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-01 23:28 . 2010-07-01 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-07-01 15:22 . 2010-07-01 15:23 -------- d-----w- C:\tdsskiller
2010-07-01 13:12 . 2010-07-01 13:12 -------- d-----w- c:\program files\Trend Micro
2010-06-24 10:49 . 2010-07-02 03:01 171000 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-21 19:16 . 2010-06-21 19:16 85504 ----a-w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-06-21 19:16 . 2010-06-21 19:16 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\SystemRequirementsLab
2010-06-19 14:39 . 2010-01-25 18:58 462848 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll
2010-06-19 14:39 . 2010-01-15 21:25 864256 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll
2010-06-19 14:39 . 2010-01-15 21:25 372736 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe
2010-06-19 14:39 . 2010-06-01 18:44 3907584 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2010-06-19 14:39 . 2010-01-15 21:26 70984 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe
2010-06-19 14:39 . 2010-01-15 21:25 315392 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll
2010-06-17 20:26 . 2010-06-17 20:26 50354 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\uninstall.exe
2010-06-17 20:26 . 2010-06-17 20:26 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\Facebook
2010-06-11 05:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 -c--a-w- c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 07:04 . 2007-02-01 21:10 -------- d-----w- c:\program files\DynDNS Updater
2010-07-02 03:42 . 2010-07-01 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-07-02 00:01 . 2010-07-02 00:01 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-02 00:01 . 2010-07-02 00:01 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-02 00:01 . 2010-07-02 00:01 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-02 00:01 . 2010-07-02 00:01 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-02 00:01 . 2010-07-01 23:31 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-02 00:01 . 2010-07-01 23:31 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-02 00:01 . 2010-07-02 00:01 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-07-02 00:01 . 2010-07-02 00:01 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-07-02 00:01 . 2010-07-02 00:01 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-07-02 00:01 . 2010-07-02 00:01 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-07-01 23:30 . 2010-07-01 23:30 -------- d-----w- c:\program files\Kaspersky Lab
2010-06-25 17:40 . 2007-02-02 22:24 -------- d-----w- c:\documents and settings\Mark Marquez\Application Data\AdobeUM
2010-06-24 16:23 . 2010-03-04 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-06-22 22:16 . 2007-02-01 19:58 106496 -c--a-w- c:\windows\DUMP3a98.tmp
2010-06-21 17:05 . 2008-09-03 17:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-10 22:02 . 2008-07-07 05:05 -------- d-----w- c:\program files\FLV Player
2010-06-08 13:57 . 2010-03-15 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 13:57 . 2009-12-17 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-29 17:20 . 2009-09-02 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TestOut
2010-05-25 19:51 . 2010-05-25 19:51 503808 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcp71.dll
2010-05-25 19:51 . 2010-05-25 19:51 499712 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\jmc.dll
2010-05-25 19:51 . 2010-05-25 19:51 12800 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-d3d.dll
2010-05-25 19:51 . 2010-05-25 19:51 61440 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7d186ab8-n\decora-sse.dll
2010-05-25 19:51 . 2010-05-25 19:51 348160 ----a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2961bede-n\msvcr71.dll
2010-05-23 04:57 . 2010-05-23 04:54 -------- d-----w- c:\program files\Content Manager
2010-05-23 04:54 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 10:41 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2005-10-06 00:06 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-15 22:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-15 22:18 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 21:30 . 2008-02-14 17:15 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2010-04-20 05:51 . 2004-08-04 05:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 22:08 . 2010-04-16 22:08 503808 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcp71.dll
2010-04-16 22:08 . 2010-04-16 22:08 499712 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\jmc.dll
2010-04-16 22:08 . 2010-04-16 22:08 348160 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e3bba5c-n\msvcr71.dll
2010-04-16 22:08 . 2010-04-16 22:08 61440 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-sse.dll
2010-04-16 22:08 . 2010-04-16 22:08 12800 -c--a-w- c:\documents and settings\Mark Marquez\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-72710818-n\decora-d3d.dll
2010-04-13 00:29 . 2010-04-16 22:08 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2009-05-14 21:29 . 2009-10-21 17:29 8520 -c--a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-05-03 09:06 . 2009-09-21 15:06 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-21 15:06 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-21 15:06 216064 -csh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-01_16.07.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-02 03:03 . 2010-07-02 03:03 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
+ 2006-07-20 02:06 . 2010-07-01 23:10 87398 c:\windows\system32\perfc009.dat
+ 2009-09-10 02:01 . 2009-09-10 02:01 27675 c:\windows\system32\drivers\klopp.dat
+ 2009-10-03 02:39 . 2009-10-03 02:39 19472 c:\windows\system32\drivers\klmouflt.sys
+ 2009-09-14 21:42 . 2009-09-14 21:42 32272 c:\windows\system32\drivers\klim5.sys
+ 2009-10-15 04:18 . 2009-10-15 04:18 36880 c:\windows\system32\drivers\klbg.sys
+ 2007-02-01 20:00 . 2010-07-02 03:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-01 20:00 . 2010-07-02 03:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-02 01:37 . 2010-07-02 03:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-02-01 20:00 . 2007-02-01 20:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-07-20 02:06 . 2010-07-01 23:10 496400 c:\windows\system32\perfh009.dat
+ 2009-10-21 03:34 . 2009-10-21 03:34 219664 c:\windows\system32\klogon.dll
+ 2008-12-15 18:37 . 2010-07-02 03:04 212171 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-07-01 23:30 . 2010-07-02 00:01 315408 c:\windows\system32\drivers\klif.sys
+ 2009-09-01 22:29 . 2009-09-01 22:29 128016 c:\windows\system32\drivers\kl1.sys
+ 2004-08-04 05:00 . 2006-11-07 08:06 600576 c:\windows\system32\dllcache\mstsc.exe
+ 2010-07-01 23:36 . 2010-07-01 23:36 3400704 c:\windows\Installer\c13ab.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-17 1352704]
"Magellan CmTray"="c:\program files\Content Manager\CmTray.exe" [2010-02-12 446464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-22 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-22 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-22 81920]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-10-02 2596712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-21 340456]

c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2006-6-1 430080]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-2-1 724992]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Marquez^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Mark Marquez\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:00 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-07-13 23:01 169264 -c--a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"Maxtor Sync Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SymSnapService"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [3/23/2010 2:32 PM 14336]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [9/21/2009 9:26 PM 46192]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 9:25 PM 1571336]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 8:03 PM 32408]
S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [4/25/2007 2:31 PM 19640]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/3/2004 10:00 PM 5120]
S4 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [9/21/2009 9:19 PM 1964528]
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\Mark's My Docs Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 05:00]

2010-07-02 c:\windows\Tasks\User_Feed_Synchronization-{6863240A-8EF2-4C51-A0C3-591E389CB587}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: itsupport247.net\control
TCP: {310FF38D-A2D7-47D4-BD21-5200534B83C1} = 68.105.28.12,68.105.28.11
FF - ProfilePath - c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mark Marquez\Application Data\Mozilla\Firefox\Profiles\bsem5cmn.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-131446749-1983420115-2050264482-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-02 10:35:54
ComboFix-quarantined-files.txt 2010-07-02 17:35
ComboFix2.txt 2010-07-02 03:46
ComboFix3.txt 2010-07-01 23:02
ComboFix4.txt 2010-07-01 19:58
ComboFix5.txt 2010-07-02 17:24

Pre-Run: 5,490,372,608 bytes free
Post-Run: 5,622,390,784 bytes free

- - End Of File - - 1A0EB4124A28A197825B096C0364E1D4

Open in new window

ComboFix.txt

Author

Commented:
Truly enjoy this members expertise.
Top Expert 2007

Commented:
You're welcome!
Glad to know the issue is now resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Or simply rename ComboFix.exe to Uninstall.exe and double click it.

Thank you for the nice feedback, much appreciated, :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial