Possible Virus

Bob39Bob39
edited June 2011 in Science & Tech
Hi, I think I may have a virus on my computer. I currently have ESET smart Security installed. Everytime I search for something on google, a message from ESET pops up saying:

Address has been blocked. URL address: "zonedg.com/index.html?tq=gKY0sHoL7L+NyLhb..."
IP address: 96.9.169.85:80.

There is usually a delay before I am able to find the search results. When I click on a webiste from the search results, I am usually redirected to a bogus site, and have to press back and click on the website again before I am able to access it. Any help would be appreciated. I have posted the hijack this log below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:19:59 PM, on 06/06/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 5200 Series\lxbtmon.exe
C:\Program Files\Lexmark 5200 Series\ezprint.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Waheguru\AppData\Roaming\dwm.exe
C:\Users\Waheguru\AppData\Local\Temp\csrss.exe
C:\Users\Waheguru\AppData\Roaming\Microsoft\conhost.exe
C:\Program Files\Simply Accounting Accountants' Edition 2009\SimplyAccounting.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Waheguru\Downloads\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:62505
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Waheguru\AppData\Local\Temp\csrss.exe
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: cashtitan browser enhancer - {86D60878-C284-4947-22F4-B02DD72FF56A} - C:\Windows\system32\tpfqslteoliq.dll (file missing)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbtmon.exe] "C:\Program Files\Lexmark 5200 Series\lxbtmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5200 Series\ezprint.exe"
O4 - HKLM\..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe /a
O4 - HKLM\..\Run: [joyqhyvlrwo] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\tpfqslteoliq.dll"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DIMDownloading your update...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.exe" "c:\programdata\corel\downloads\540215253_610005\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\users\waheguru\appdata\roaming\corel\messages\540215253_610005\en\messagecache1\workflow"
O4 - HKCU\..\Run: [conhost] C:\Users\Waheguru\AppData\Roaming\Microsoft\conhost.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10p_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Waheguru\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll/206 (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFCEF8D-9A92-4BA9-9DE0-B30ED3889941}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Eset Trial Reset (.EsetTrialReset) - Unknown owner - C:\Windows\reset.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbt_device - - C:\Windows\system32\lxbtcoms.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ShadowExplorer Service (sesvc) - www.shadowexplorer.com - C:\Program Files\ShadowExplorer\sesvc.exe
O23 - Service: Simply Accounting Database Connection Manager - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 12120 bytes

Thanks again in advance,

-Bob39

Comments

  • TushonTushon I'm scared, Coach Alexandria, VA Icrontian
    edited June 2011
    I would run ccleaner (registry and temp file cleaner, removing all files), combofix, malwarebytes (update then full scan), and ccleaner again, in that order. The redirects are probably due to a local proxy from a dll that gets loaded
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:62505

    O2 - BHO: cashtitan browser enhancer - {86D60878-C284-4947-22F4-B02DD72FF56A} - C:\Windows\system32\tpfqslteoliq.dll (file missing)

    O4 - HKLM\..\Run: [joyqhyvlrwo] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\tpfqslteoliq.dll"
    This is the source of your issue. Run the tools I advised, in the order I advised, and you should be cured.

    and this may not be a cause for worry, but worth looking into:
    O4 - HKCU\..\Run: [conhost] C:\Users\Waheguru\AppData\Roaming\Microsoft\conhost.exe
    which disputes where it "should" be running from (system32). Read through the source for info on checking it out.


    Specific cashtitan removal instructions: 
    [B]Kill these processes: [/B]
 [random].exe
BrowserHotfix4.exe
 [B]Delete these registry values:[/B]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “MSMSGS”=-
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run “[random]“=-
 [B]Remove these dlls: [/B]
 C:WINDOWS\system32\[random].dll
 [B]Delete these files: [/B]
C:Documents and Settings\[user]\Local Settings\Temp\BrowserHotfix4.exe
C:\WINDOWS\system32\[random].exe
    Source
  • Bob39Bob39
    edited June 2011
    Hi, I did what you suggested in that order, however my internet has stopped working. Before i could use the internet, now it just stopped working completely. According to windows network and sharing center, I'm connected to an unidentified network, and have no internet access. I've posted the combofix and malwarebytes logs below (i transferred the logs onto my sisters computer, and am using that to post this reply. Her internet is still working using the same router that I'm connected to).

    Malewarebytes:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6822

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    09/06/2011 8:20:31 PM
    mbam-log-2011-06-09 (20-20-31).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 442411
    Time elapsed: 1 hour(s), 10 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Waheguru\AppData\LocalLow\Sun\Java\deployment\cache\6.0\45\57c902ed-769d3e89 (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\Users\Waheguru\AppData\Local\fsvinpx.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\Users\Waheguru\AppData\Roaming\dwm.exe.vir (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\Users\Waheguru\AppData\Roaming\microsoft\conhost.exe.vir (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.


    Combofix:

    ComboFix 11-06-09.04 - Waheguru 09/06/2011 18:37:39.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.1919.650 [GMT -4:00]
    Running from: c:\users\Waheguru\Downloads\ComboFix.exe
    AV: ESET Smart Security 4.0 *Disabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
    FW: ESET Personal firewall *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
    SP: ESET Smart Security 4.0 *Disabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Waheguru\AppData\Local\fsvinpx.exe
    c:\users\Waheguru\AppData\Roaming\Adobe\plugs
    c:\users\Waheguru\AppData\Roaming\Adobe\plugs\mmc127.exe
    c:\users\Waheguru\AppData\Roaming\Adobe\shed
    c:\users\Waheguru\AppData\Roaming\Adobe\shed\thr1.chm
    c:\users\Waheguru\AppData\Roaming\dwm.exe
    c:\users\Waheguru\AppData\Roaming\inst.exe
    c:\users\Waheguru\AppData\Roaming\Microsoft\conhost.exe
    c:\windows\jestertb.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-09 22:46 . 2011-06-09 22:46
    d
    w- c:\users\Default\AppData\Local\temp
    2011-06-09 22:32 . 2011-06-09 22:34
    d
    w- C:\32788R22FWJFW
    2011-06-09 22:16 . 2011-06-09 22:16
    d
    w- c:\program files\CCleaner
    2011-06-09 11:54 . 2011-06-09 11:54
    d
    w- c:\users\Waheguru\AppData\Local\{2BB96D21-A8CD-4E28-B00B-AB8ACB2E37D9}
    2011-06-08 23:54 . 2011-06-08 23:54
    d
    w- c:\users\Waheguru\AppData\Local\{EAA15640-3E02-4E62-B09B-07E6164C6EF4}
    2011-06-08 10:51 . 2011-06-08 10:51
    d
    w- c:\users\Waheguru\AppData\Local\{1A84138A-FC74-450C-8DCD-CCDD816A2116}
    2011-06-07 19:33 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CBA38FE9-124C-4C56-B432-3A3897C5F35B}\mpengine.dll
    2011-06-07 19:29 . 2011-06-07 19:29
    d
    w- c:\users\Waheguru\AppData\Local\{E8166A80-74FA-4ABA-BF56-7429A06BC003}
    2011-06-06 23:05 . 2011-06-06 23:05
    d
    w- c:\users\Waheguru\AppData\Local\{6FC5F93F-9880-4964-B0A8-A0F0D99B184A}
    2011-06-06 22:55 . 2011-06-06 22:55 41680 ----a-w- c:\windows\system32\drivers\xhkogjle.sys
    2011-06-06 11:05 . 2011-06-06 11:05
    d
    w- c:\users\Waheguru\AppData\Local\{11EBAB8F-AB1C-4907-91B2-03B3E9752657}
    2011-06-05 21:44 . 2011-06-05 21:44 41680 ----a-w- c:\windows\system32\drivers\bfkjnrso.sys
    2011-06-05 21:34 . 2011-06-05 21:34 41680 ----a-w- c:\windows\system32\drivers\iauozxvd.sys
    2011-06-05 21:24 . 2011-06-05 21:24 41680 ----a-w- c:\windows\system32\drivers\mynxmtdr.sys
    2011-06-05 16:47 . 2011-06-05 16:48
    d
    w- c:\users\Waheguru\AppData\Local\{1B708C42-999E-4A63-89A8-77E2BF411C42}
    2011-06-05 02:56 . 2011-06-05 02:57
    d
    w- c:\users\Waheguru\AppData\Local\{6339F147-0A4F-41CF-AF1D-AF18E880EC4D}
    2011-06-05 02:56 . 2011-06-05 02:56
    d
    w- c:\users\Waheguru\AppData\Local\{497A6E8D-8416-4594-BF3C-B58936F303B9}
    2011-06-04 14:25 . 2011-06-04 14:25
    d
    w- c:\users\Waheguru\AppData\Local\{A2B6F57D-1BC4-4AE3-BA92-22191F618E04}
    2011-06-03 20:35 . 2011-06-03 20:35
    d
    w- c:\users\Waheguru\AppData\Local\{7F40DC0B-82C4-4633-A3A5-9387B7CD15CF}
    2011-06-02 19:38 . 2011-06-02 19:38
    d
    w- c:\users\Waheguru\AppData\Local\{C090FD56-C313-4E92-A77A-EEB3576BE715}
    2011-06-02 03:01 . 2011-06-02 03:01
    d
    w- c:\users\Waheguru\AppData\Local\{04406DC5-E546-41D7-BCA1-D3DF1B2AE8B3}
    2011-06-01 11:35 . 2011-06-01 11:35
    d
    w- c:\users\Waheguru\AppData\Local\{361688D0-55A9-4742-8664-7ABD0CE3A21F}
    2011-05-31 23:35 . 2011-05-31 23:35
    d
    w- c:\users\Waheguru\AppData\Local\{6FF84046-4C91-4A63-8D04-9D4D066FF0F6}
    2011-05-31 11:34 . 2011-05-31 11:34
    d
    w- c:\users\Waheguru\AppData\Local\{012C848D-2E56-424F-878D-96B5E0D53B68}
    2011-05-30 23:22 . 2011-05-30 23:22
    d
    w- c:\users\Waheguru\AppData\Local\{DA79414A-C65C-47EF-92F7-A5DA6BB68C47}
    2011-05-30 11:21 . 2011-05-30 11:21
    d
    w- c:\users\Waheguru\AppData\Local\{D64267E4-CD28-49E5-A576-6AF633734661}
    2011-05-29 17:50 . 2011-05-29 17:50
    d
    w- c:\users\Waheguru\AppData\Local\{7558202E-1876-4DD1-A298-6D00A258018C}
    2011-05-29 02:04 . 2011-05-29 02:05
    d
    w- c:\users\Waheguru\AppData\Local\{DF9DE0CA-DB62-48D4-BA78-BE1151CD0671}
    2011-05-26 11:36 . 2011-05-26 11:37
    d
    w- c:\users\Waheguru\AppData\Local\{8A5ED13B-7DB6-4967-9DAB-82D98CBF7E9E}
    2011-05-25 22:01 . 2011-05-25 22:01
    d
    w- c:\users\Waheguru\AppData\Local\{94B83DFF-4AFF-46E7-B094-6045B0DB29B7}
    2011-05-25 10:01 . 2011-05-25 10:01
    d
    w- c:\users\Waheguru\AppData\Local\{EDF23964-08E5-48E9-BA44-0E1FDD529D0F}
    2011-05-24 20:07 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-24 20:03 . 2011-05-24 20:03
    d
    w- c:\users\Waheguru\AppData\Local\{BAF0D431-70B0-49E1-8D88-C9AF7FD848B1}
    2011-05-24 04:12 . 2011-05-24 04:12
    d
    w- c:\users\Waheguru\AppData\Local\{B4639D00-F6A9-4750-BE3B-4C0CFD9C8AE0}
    2011-05-23 14:33 . 2011-05-23 14:33
    d
    w- c:\users\Waheguru\AppData\Local\{39C73132-7B79-453B-BE99-C487AC339FBF}
    2011-05-23 14:32 . 2011-05-23 14:33
    d
    w- c:\users\Waheguru\AppData\Local\{F7ECDF79-206A-49E1-AF99-E95220EB43C3}
    2011-05-22 22:53 . 2011-05-22 22:53
    d
    w- c:\users\Waheguru\AppData\Local\{52C411F9-958C-4AAB-8B72-61E2B51ADB14}
    2011-05-22 10:53 . 2011-05-22 10:53
    d
    w- c:\users\Waheguru\AppData\Local\{C79B251F-9C5E-41AB-AABF-6B477C581F60}
    2011-05-21 19:56 . 2011-05-21 19:56
    d
    w- c:\users\Waheguru\AppData\Local\{C54AF86D-D620-4D36-9EE1-16D1603F99E5}
    2011-05-20 20:36 . 2011-05-20 20:36
    d
    w- c:\users\Waheguru\AppData\Local\{8E6F507C-89BE-48B5-BB54-E6C1BF8D65EA}
    2011-05-20 02:25 . 2011-05-20 02:25
    d
    w- c:\users\Waheguru\AppData\Local\{7B651C26-52B6-4BDD-9EE0-03D89C68653B}
    2011-05-20 02:24 . 2011-05-20 02:25
    d
    w- c:\users\Waheguru\AppData\Local\{82E20428-ED15-4BD7-A4DB-3D159B6F4C64}
    2011-05-19 13:55 . 2011-05-19 13:55
    d
    w- c:\users\Waheguru\AppData\Local\{536C7959-27BA-4F33-969D-8D2F7F1A33B0}
    2011-05-19 01:33 . 2011-05-19 01:34
    d
    w- c:\users\Waheguru\AppData\Local\{C9F2196B-C83B-4C1E-93DA-2B6DF02023B7}
    2011-05-18 21:57 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-05-18 13:05 . 2011-05-18 13:05
    d
    w- c:\users\Waheguru\AppData\Local\{EF3B4EBF-2C56-4E09-A752-D44A5F14D8CF}
    2011-05-18 01:04 . 2011-05-18 01:05
    d
    w- c:\users\Waheguru\AppData\Local\{18E63FF4-A273-4CCA-B7C5-0BD8B8BFA968}
    2011-05-18 01:04 . 2011-05-18 01:04
    d
    w- c:\users\Waheguru\AppData\Local\{66D21342-740C-45EF-9C24-83AE85CAA951}
    2011-05-17 13:04 . 2011-05-17 13:04
    d
    w- c:\users\Waheguru\AppData\Local\{981B5DD2-F3C6-4FC0-ADAF-7EB3A0C78C2A}
    2011-05-17 13:03 . 2011-05-17 13:04
    d
    w- c:\users\Waheguru\AppData\Local\{6B2BFDC0-6B9A-4A6E-BC1E-0FC01A11C53F}
    2011-05-17 00:09 . 2011-05-17 00:09
    d
    w- c:\users\Waheguru\AppData\Local\{12312B76-3AA9-453A-9204-D764C0588E14}
    2011-05-16 01:20 . 2011-05-16 01:20
    d
    w- c:\users\Waheguru\AppData\Local\{1AA3BF9B-9E50-48A6-9AFB-133565580674}
    2011-05-15 02:08 . 2011-05-15 02:09
    d
    w- c:\users\Waheguru\AppData\Local\{94958681-CEC3-4553-BEA8-8F59D6B2BD4E}
    2011-05-15 02:08 . 2011-05-15 02:08
    d
    w- c:\users\Waheguru\AppData\Local\{8FC48AF5-AFAD-4880-99F7-86CC09AFA26B}
    2011-05-14 13:40 . 2011-05-14 13:40
    d
    w- c:\users\Waheguru\AppData\Local\{A2E7AD53-F28D-41F7-ABF2-0271E03F9112}
    2011-05-14 01:01 . 2011-05-14 01:01
    d
    w- c:\users\Waheguru\AppData\Local\{38EECC3E-C99D-4C09-8618-B3C7DE8D8780}
    2011-05-14 01:00 . 2011-05-14 01:01
    d
    w- c:\users\Waheguru\AppData\Local\{7EE57AC4-9EFA-445D-88C2-BA96BA187544}
    2011-05-13 13:00 . 2011-05-13 13:00
    d
    w- c:\users\Waheguru\AppData\Local\{2376EB75-AF49-436F-8AB3-DDCCE10BA205}
    2011-05-13 13:00 . 2011-05-13 13:00
    d
    w- c:\users\Waheguru\AppData\Local\{FE407E04-C312-4B81-8633-85834C1A3930}
    2011-05-12 19:27 . 2011-05-12 19:27
    d
    w- c:\users\Waheguru\AppData\Local\{AD1773A1-B029-4995-A624-C9AADBFE9565}
    2011-05-12 19:27 . 2011-05-12 19:27
    d
    w- c:\users\Waheguru\AppData\Local\{08A65E6C-574C-4AB7-8AF2-DB590325F927}
    2011-05-11 22:59 . 2011-05-11 22:59
    d
    w- c:\users\Waheguru\AppData\Local\{63678A97-BBE0-481A-93E1-0A2F3253795B}
    2011-05-11 10:59 . 2011-05-11 10:59
    d
    w- c:\users\Waheguru\AppData\Local\{BDBD997B-7517-445B-A808-CC281F8769E9}
    2011-05-11 07:00 . 2011-03-25 03:06 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-05-11 07:00 . 2011-03-25 03:06 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-05-11 07:00 . 2011-03-25 03:06 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-05-11 07:00 . 2011-03-25 03:06 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-05-11 07:00 . 2011-03-25 03:06 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-05-11 07:00 . 2011-03-25 03:06 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-05-11 07:00 . 2011-03-25 03:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2011-05-11 07:00 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-05-11 07:00 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-05-10 22:55 . 2011-05-10 22:55
    d
    w- c:\program files\IB Questionbank32
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-20 16:47 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-03-12 11:31 . 2011-04-26 23:47 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-05-06 01:53 . 2011-05-06 01:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-03-01 2356088]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "DIMDownloading your update...1285781003180"="c:\program files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.exe" [2010-01-13 95592]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "LXBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2007-02-22 73728]
    "lxbtmon.exe"="c:\program files\Lexmark 5200 Series\lxbtmon.exe" [2007-05-03 230320]
    "EzPrint"="c:\program files\Lexmark 5200 Series\ezprint.exe" [2007-05-03 103344]
    "KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2010-08-29 432672]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-07-13 19:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionManager]
    2008-09-19 05:00 87336 ----a-w- c:\program files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
    2010-04-11 17:14 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
    2009-07-07 18:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
    2009-10-22 09:59 129584 ----a-w- c:\program files\VMware\VMware Workstation\vmware-tray.exe
    .
    R1 bfkjnrso;bfkjnrso;c:\windows\system32\drivers\bfkjnrso.sys [2011-06-05 41680]
    R1 iauozxvd;iauozxvd;c:\windows\system32\drivers\iauozxvd.sys [2011-06-05 41680]
    R1 mynxmtdr;mynxmtdr;c:\windows\system32\drivers\mynxmtdr.sys [2011-06-05 41680]
    R1 xhkogjle;xhkogjle;c:\windows\system32\drivers\xhkogjle.sys [2011-06-06 41680]
    R2 .EsetTrialReset;Eset Trial Reset;c:\windows\reset.exe [2009-03-20 357182]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 136176]
    R3 USBTINSP;TI-Nspire(TM) Handheld or TI Network Bridge Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys [2010-03-29 122752]
    R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-05-14 731840]
    S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-05-14 38240]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S2 sesvc;ShadowExplorer Service;c:\program files\ShadowExplorer\sesvc.exe [2010-01-23 9216]
    S2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\Winsim\ConnectionManager\SimplyConnectionManager.exe [2008-09-19 16680]
    S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2009-10-22 70704]
    S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
    S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2009-05-28 391296]
    S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-02-11 114952]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-08-20 17:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 19:10]
    .
    2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-25 19:10]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:62505
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Free YouTube to Mp3 Converter - c:\users\Waheguru\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
    TCP: Interfaces\{9AFCEF8D-9A92-4BA9-9DE0-B30ED3889941}: NameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Waheguru\AppData\Roaming\Mozilla\Firefox\Profiles\hn3ctsmb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 62505
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{86D60878-C284-4947-22F4-B02DD72FF56A} - (no file)
    HKCU-Run-conhost - c:\users\Waheguru\AppData\Roaming\Microsoft\conhost.exe
    HKLM-Run-joyqhyvlrwo - c:\windows\system32\tpfqslteoliq.dll
    .
    .
    .
    LOCKED REGISTRY KEYS
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-09 18:48:40
    ComboFix-quarantined-files.txt 2011-06-09 22:48
    .
    Pre-Run: 238,599,933,952 bytes free
    Post-Run: 239,643,262,976 bytes free
    .
    - - End Of File - - F338DA8FD2CFB77A79CDDB84DB283524


    Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:11:10 PM, on 09/06/2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16766)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lexmark 5200 Series\lxbtmon.exe
    C:\Program Files\Lexmark 5200 Series\ezprint.exe
    C:\Program Files\KeyScrambler\KeyScrambler.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Pure Networks\Network Magic\nmapp.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Waheguru\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxbtmon.exe] "C:\Program Files\Lexmark 5200 Series\lxbtmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5200 Series\ezprint.exe"
    O4 - HKLM\..\Run: [KeyScrambler] C:\Program Files\KeyScrambler\keyscrambler.exe /a
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DIMDownloading your update...1285781003180] "C:\Program Files\Corel\CorelDRAW Graphics Suite X5\Programs\DIM.exe" "c:\programdata\corel\downloads\540215253_610005\1285781003180\dim_params.xml" -Launch=3 -uibase="c:\users\waheguru\appdata\roaming\corel\messages\540215253_610005\en\messagecache1\workflow"
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Waheguru\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll/206 (file missing)
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFCEF8D-9A92-4BA9-9DE0-B30ED3889941}: NameServer = 192.168.0.1
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Eset Trial Reset (.EsetTrialReset) - Unknown owner - C:\Windows\reset.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: lxbt_device - - C:\Windows\system32\lxbtcoms.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: ShadowExplorer Service (sesvc) - www.shadowexplorer.com - C:\Program Files\ShadowExplorer\sesvc.exe
    O23 - Service: Simply Accounting Database Connection Manager - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
    O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

    --
    End of file - 10491 bytes


    Any help would be appreciated.

    Thanks
    Bob39
  • Bob39Bob39
    edited June 2011
    Bob39 wrote:
    Hi, I did what you suggested in that order, however my internet has stopped working. Before i could use the internet, now it just stopped working completely. According to windows network and sharing center, I'm connected to an unidentified network, and have no internet access.

    I was able to get the internet to work. I just had to mess around with the TCP/IPv4 settings. However, whenever I start firefox, a proxy is in use, which doesn't allow me to use the internet. I have to change this by going to firefox>options>options>advanced>network>settings> use system proxy settings.

    I'm not sure if the proxy was properly deleted from my computer. Everything is working now, it is just a nuissance to have to change the proxy settings each time. I can't get it to stay permanently.

    Any help would once again be appreciated.
  • TushonTushon I'm scared, Coach Alexandria, VA Icrontian
    edited June 2011
    Make sure to check your network connections for the proxy settings (remove any you find) because Firefox typically draws from your computers settings.
Sign In or Register to comment.