nod32 win32/olmarik operation memory

[anex]

Hi,

I am using windows 7

Eset Nod32 detects win32 olmarik trojan in the operating memory but it fails to disinfect it.

What should I do?

Please find hijackthis.log attached to this post.

Ta

Citaat:Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:37:56 ч., on 11.8.2010 г.
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 173.192.153.178 http://www.123.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [lsdefrag] C:\Users\Pavlin\AppData\Local\Temp\oenmcawxsr.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - HKLM\..\Policies\Explorer\Run: [jgyo0w] C:\Users\Pavlin\AppData\Local\Temp\19aqp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Преведи - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9534BF29-FC95-4B51-B651-9BC10B91FBAE}: NameServer = 8.8.8.8,4.3.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 6089 bytes

[miekiemoes]

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
• Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[anex]

Downloaded mbam, scanned and removed found infected items. See below.

Asked me to restart the windows so that's what I'm gonna do now.

Citaat:Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4420

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11.8.2010 г. 21:43:14
mbam-log-2010-08-11 (21-43-14).txt

Scan type: Quick scan
Objects scanned: 137038
Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ZE18MW23GY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\10DPP6O2VE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jgyo0w (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

[miekiemoes]

Yes, please reboot and also rescan with Hijackthis and post a new HijackThis log.

[anex]

Citaat:Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:54:30 ч., on 11.8.2010 г.
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Install\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 173.192.153.178 http://www.123.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Преведи - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9534BF29-FC95-4B51-B651-9BC10B91FBAE}: NameServer = 8.8.8.8,4.3.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 5941 bytes

[miekiemoes]

Hi,

* Rightclick HijackThis and select to run as administrator.
Click scan and Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O1 - Hosts: 173.192.153.178 http://www.123.com
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, as a doublecheck... Open Internet Explorer, In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".

This because your proxysettings were modified by malware as well.
Post a new HijackThis log in your next reply.

Also, rescan with Eset and let me know if it still detects Olmarik and what file is responsible for this detection (if detection is still present).
Reason is because the infection you were dealing with may also patch/infect a legitimate system driver - but we'll find out later.

[anex]

ESET didn't report anything.

Citaat:Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:17:04 ч., on 11.8.2010 г.
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Install\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [RMClock] "C:\Program Files\RMClock\RMClockLauncher.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Преведи - {60237576-b24c-4ba9-9740-c9f3ec9db557} - C:\PROGRA~1\SkyCode\WEBTRA~1\wt2ie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9534BF29-FC95-4B51-B651-9BC10B91FBAE}: NameServer = 8.8.8.8,4.3.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 5658 bytes

[miekiemoes]

Hi,

Good to hear. How are things now?

[anex]

I Guess I'm cured now?

Thanks

[miekiemoes]

Well, at least your computer is cured if you don't notice any problems anymore.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[anex]

Thanks again for your time and useful tips.

[miekiemoes]

You're most welcome

[anex]

Didn't know you are a lady

This is my first time being guided by a lady at all. I am really impressed, you are a real goddess.

[miekiemoes]

Haha, thank you

[anex]

I am unable to run mbam.exe. Have to rename it to mbamm.exe and then it runs ok.

That leads me to the idea that I am still infected plus I am being redirected to random jump ad sites while trying to reach results from google.

Please advise goddess.

[miekiemoes]

Alright, let's have an extra look..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix...e-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[anex]

After renaming combofix.exe to a different name.exe I was able to run it.

Here is the log...

Citaat:ComboFix 10-08-12.03 - Pavlin 08.2010 г. 13:27:05.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1251.359.1033.18.2046.1340 [GMT 1:00]
Running from: c:\users\Pavlin\Desktop\soft\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\users\Pavlin\AppData\Local\{C029F49C-79DC-4CD5-8DF0-D24379FEEB55}
c:\users\Pavlin\AppData\Local\{C029F49C-79DC-4CD5-8DF0-D24379FEEB55}\chrome.manifest
c:\users\Pavlin\AppData\Local\{C029F49C-79DC-4CD5-8DF0-D24379FEEB55}\chrome\content\_cfg.js
c:\users\Pavlin\AppData\Local\{C029F49C-79DC-4CD5-8DF0-D24379FEEB55}\chrome\content\overlay.xul
c:\users\Pavlin\AppData\Local\{C029F49C-79DC-4CD5-8DF0-D24379FEEB55}\install.rdf
c:\windows\system32\klipxm32.dll
c:\windows\system32\out.txt

Infected copy of c:\windows\system32\drivers\iaStorV.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-13 12:35 . 2010-08-13 12:36 -------- d-----w- c:\users\Pavlin\AppData\Local\temp
2010-08-13 12:35 . 2010-08-13 12:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-13 12:18 . 2010-08-13 12:19 -------- d-----w- C:\32788R22FWJFW
2010-08-12 19:27 . 2010-08-12 19:28 -------- d-----w- c:\program files\QuickTime
2010-08-12 19:27 . 2010-08-12 19:27 -------- d-----w- c:\programdata\Apple Computer
2010-08-12 19:26 . 2010-08-12 19:26 -------- d-----w- c:\program files\Common Files\Apple
2010-08-12 19:25 . 2010-08-12 19:25 -------- d-----w- c:\program files\Apple Software Update
2010-08-12 18:42 . 2010-08-12 18:42 -------- d-----w- c:\program files\CCleaner
2010-08-11 20:33 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:33 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 19:37 . 2010-08-11 19:37 388096 ----a-r- c:\users\Pavlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-11 19:15 . 2010-08-11 19:37 -------- d-----w- c:\program files\trend micro
2010-08-11 19:15 . 2010-08-11 19:15 -------- d-----w- C:\rsit
2010-08-11 16:47 . 2010-08-11 16:47 -------- d-----w- c:\users\Pavlin\AppData\Roaming\PC Tools
2010-08-11 16:47 . 2010-08-11 16:47 -------- d-----w- c:\programdata\PC Tools
2010-08-11 14:07 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 13:26 . 2010-08-11 13:26 -------- d-----w- c:\program files\Common Files\Java
2010-08-11 13:26 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-09 23:11 . 2010-08-09 23:11 -------- d-----w- c:\users\Pavlin\AppData\Local\ESET
2010-08-09 22:39 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-09 22:39 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-08-09 19:57 . 2010-08-09 19:57 35 ----a-w- c:\users\Pavlin\AppData\Roaming\SetValue.bat
2010-08-09 17:45 . 2010-08-13 12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 16:59 . 2010-08-09 16:59 2848 ----a-w- c:\users\Pavlin\AppData\Local\Ohetutejef.dat
2010-08-09 16:57 . 2010-08-09 16:57 57344 --sha-r- c:\windows\system32\WpdMtpg.dll
2010-08-09 16:56 . 2010-08-13 12:13 -------- d-----w- c:\users\Pavlin\AppData\Roaming\1C5076BBA01C3F73BEB286DEC9A74B75
2010-08-05 21:49 . 2010-08-05 21:49 -------- d-----w- c:\program files\YouTube Downloader
2010-08-01 16:43 . 2010-08-02 03:00 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Workrave
2010-08-01 16:43 . 2010-08-01 16:43 -------- d-----w- c:\program files\Workrave
2010-08-01 01:00 . 2010-08-01 01:03 -------- d-----w- c:\users\Pavlin\AppData\Local\Electronic_Arts_Inc
2010-08-01 01:00 . 2010-08-01 01:00 -------- d-----w- c:\programdata\Electronic Arts
2010-08-01 01:00 . 2010-08-01 01:00 -------- d-----w- c:\program files\Electronic Arts
2010-07-31 22:48 . 2010-07-31 22:48 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-31 22:42 . 2010-07-31 22:42 -------- d-----w- c:\program files\StarCraft II
2010-07-31 22:19 . 2010-07-31 22:48 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-31 22:05 . 2010-07-31 22:05 -------- d-----w- c:\program files\Difference World
2010-07-25 15:10 . 2010-07-25 15:10 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2010-07-24 13:36 . 2010-07-24 13:36 -------- d-----w- c:\program files\Panda Security
2010-07-21 16:27 . 2010-07-21 16:28 -------- d-----w- c:\program files\sXe Injected
2010-07-21 08:47 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-07-21 08:46 . 2009-11-25 11:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 08:46 . 2009-11-25 11:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 08:46 . 2009-11-25 11:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 08:46 . 2009-11-25 11:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 08:46 . 2009-11-25 11:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 08:45 . 2010-07-21 08:45 -------- d-----w- c:\windows\PCHEALTH
2010-07-21 08:44 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 08:41 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 08:41 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 08:41 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 12:14 . 2008-11-23 04:21 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Skype
2010-08-13 12:14 . 2008-11-25 17:10 -------- d-----w- c:\users\Pavlin\AppData\Roaming\uTorrent
2010-08-13 07:01 . 2008-11-23 04:21 -------- d-----w- c:\users\Pavlin\AppData\Roaming\skypePM
2010-08-13 06:49 . 2008-11-25 17:10 -------- d-----w- c:\program files\uTorrent
2010-08-12 18:44 . 2008-11-23 15:18 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Media Player Classic
2010-08-11 17:38 . 2010-08-11 16:47 -------- d-----w- c:\program files\Spyware Doctor
2010-08-11 16:51 . 2010-08-11 16:47 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-11 14:09 . 2008-11-23 13:43 -------- d-----w- c:\programdata\Microsoft Help
2010-08-11 14:07 . 2009-06-29 13:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-11 13:26 . 2009-02-14 02:27 -------- d-----w- c:\program files\Java
2010-08-09 23:12 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-08-09 22:41 . 2008-11-23 13:44 -------- d-----w- c:\program files\Microsoft.NET
2010-08-09 22:03 . 2009-05-23 17:13 -------- d-----w- c:\program files\ESET
2010-08-09 19:57 . 2010-08-09 19:57 691 ----a-w- c:\users\Pavlin\AppData\Roaming\GetValue.vbs
2010-08-07 15:33 . 2010-03-17 12:11 -------- d-----w- c:\users\Pavlin\AppData\Roaming\vlc
2010-08-05 21:51 . 2008-11-23 03:13 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Orbit
2010-07-31 23:22 . 2009-05-07 10:39 -------- d-----w- c:\program files\LogMeIn
2010-07-31 22:42 . 2009-08-13 21:20 67760 ----a-w- c:\users\Pavlin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-31 22:34 . 2010-02-26 22:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-31 22:05 . 2009-03-28 08:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 11:55 . 2008-12-30 19:43 -------- d-----w- c:\program files\ISOBURN
2010-07-29 06:30 . 2010-08-11 14:06 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 14:06 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-20 20:02 . 2010-04-08 23:27 -------- d-----w- c:\program files\Opera
2010-07-04 18:53 . 2010-07-04 18:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-30 06:25 . 2010-08-11 14:06 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 09:37 . 2010-06-22 09:37 2316 ----a-w- c:\programdata\xmlF069.tmp
2010-06-22 09:37 . 2010-06-22 09:37 9798 ----a-w- c:\programdata\xmlEDA9.tmp
2010-06-22 09:37 . 2010-06-22 09:37 13757 ----a-w- c:\programdata\xmlEFDC.tmp
2010-06-22 02:47 . 2010-08-11 14:06 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 14:06 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 14:06 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 17:41 . 2008-12-06 21:32 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-19 06:33 . 2010-08-11 14:06 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 14:06 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 04:07 . 2010-08-11 14:06 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 14:06 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 14:06 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-09 16:58 . 2009-05-07 10:39 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 16:58 . 2009-05-07 10:39 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-08 06:02 . 2010-08-11 14:06 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 17:06 . 2010-04-20 08:52 2316 ----a-w- c:\programdata\xmlC7.tmp
2010-06-06 17:06 . 2010-04-20 08:52 9521 ----a-w- c:\programdata\xmlFCA0.tmp
2010-06-06 17:06 . 2010-04-20 08:52 13757 ----a-w- c:\programdata\xml2A.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [2008-02-29 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Player

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-03-17 09:59 3959696 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
2009-02-27 14:04 278016 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-24 02:25 133104 ----atw- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-04 16:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2006-11-11 13:35 43128 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 15:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-11 17:51 8530464 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-11 17:51 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-11-11 17:51 86016 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\openvpn-gui]
2005-08-18 08:55 99328 ----a-w- c:\program files\OpenVPN\bin\openvpn-gui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-10-02 05:00 1124352 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workrave]
2009-10-25 10:49 3661312 ----a-w- c:\program files\Workrave\lib\Workrave.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EOlmarikFix;EOlmarikFix;c:\users\Pavlin\AppData\Local\Temp\EOlmalikFixer\EOlmarikFix.sys [x]
R3 HexTunnelDevice;Hexago Multi-Virtual Tunnel Adapter;c:\windows\system32\DRIVERS\hextun.sys [2007-12-20 22176]
R3 Normandy;Normandy SR2; [x]
R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2009-01-11 36928]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [2009-08-24 93336]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\Drivers\SIVX32.sys [2009-05-15 49656]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TAPTUNV6;TAP/TUN IPv6 Adapter;c:\windows\system32\DRIVERS\tunv6.sys [2004-09-08 20352]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-08-05 91472]
R4 gupdate1c98d16c937e410;Google Update Service (gupdate1c98d16c937e410);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-08-19 721904]
R4 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys [2009-01-07 20744]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2009-08-05 115856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2009-08-05 41424]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-11-10 112592]
S2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2009-02-27 143467]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S3 AVerM115S;AVerM115S service;c:\windows\system32\DRIVERS\AVerM115S.sys [2008-05-22 784256]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys [2008-12-07 30088]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [2009-07-13 9216]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2008-05-22 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2008-05-22 43904]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-05-22 227328]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2009-08-05 99472]


--- Other Services/Drivers In Memory ---

*Deregistered* - gpreertg
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 13:35]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 13:35]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620979307-3027744262-2862402733-1000Core.job
- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-24 02:25]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620979307-3027744262-2862402733-1000UA.job
- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-24 02:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - c:\progra~1\SkyCode\WEBTRA~1\wt2ie.dll
TCP: {9534BF29-FC95-4B51-B651-9BC10B91FBAE} = 8.8.8.8,4.3.2.1
TCP: 2656C6B696E6 = 8.8.8.8
TCP: D616273696161383 = 8.8.8.8
FF - ProfilePath - c:\users\Pavlin\AppData\Roaming\Mozilla\Firefox\Profiles\4ztw3pcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405280&SearchSource=13
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll
FF - plugin: c:\users\Pavlin\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Pavlin\AppData\Roaming\Mozilla\Firefox\Profiles\4ztw3pcl.default\extensions\LogMeInClient@l​ogmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Axaheneqehexop - c:\users\Pavlin\AppData\Local\oriyusikuno.dll
MSConfigStartUp-dapxbope - c:\users\Pavlin\AppData\Local\kbtuoqokh\nrifirytssd.exe
MSConfigStartUp-DNP - c:\program files\Desktop Notepad\Desktop Notepad.exe
MSConfigStartUp-MChk - c:\windows\system32\jqmcp.exe
MSConfigStartUp-NVIDIA nTune - c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-Prime95 - c:\users\Pavlin\Desktop\temp\prime95.exe
MSConfigStartUp-sta - wqmcp.dll
MSConfigStartUp-Vhojifin - c:\users\Pavlin\AppData\Local\XPIntasr.dll
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-Windows Mobile-based device management - c:\windows\WindowsMobile\wmdcBase.exe
MSConfigStartUp-ZE18MW23GY - c:\users\Pavlin\AppData\Local\Temp\Rpn.exe
AddRemove-Counter-Strike 1.6: New Era - d:\games\cse\uninst.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpreertg]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Eset\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{B91B4988-2671-4C7A-9B84-5FE9E38EDDE0}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.2.42.0"
"UniqueId"="000ADE1E4C607B49"
"ScannerBuild"=dword:00001ab4
"ScannerVersionId"=dword:00001377
"ScannerVersion"="Open window for status."

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMnetLibSaved\VMnetBridge]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-08-13 13:39:21
ComboFix-quarantined-files.txt 2010-08-13 12:39

Pre-Run: 14 937 370 624 bytes free
Post-Run: 14 770 216 960 bytes free

- - End Of File - - 1C9341AE6DE405221DF8E4FA7A131A1F

Additionally I ran mbam again...

Citaat:Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4420

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13.8.2010 г. 13:13:00
mbam-log-2010-08-13 (13-13-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 225574
Time elapsed: 48 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\IVT Corporation\BlueSoleil\Keygen.exe (Trojan.Agent) -> No action taken.
C:\Users\Pavlin\AppData\Local\oriyusikuno.dll (Trojan.Hiloti) -> No action taken.
C:\Users\Pavlin\AppData\Roaming\1C5076BBA01C3F73BEB286DEC9A74B75\secureapp70700.exe (Malware.Packer.Gen) -> No action taken.

[miekiemoes]

Hi,

I already had the feeling previously that there would still something be there, because this is what I posted previously:

Citaat:Also, rescan with Eset and let me know if it still detects Olmarik and what file is responsible for this detection (if detection is still present).
Reason is because the infection you were dealing with may also patch/infect a legitimate system driver - but we'll find out later.

And you were indeed dealing with a patched infected system file. But since your Eset remained quiet and you didn't notice any problems anymore afterwards, I thought it was fixed after all, until today when you started to notice new problems again.

I'm unsure if you also managed to get reinfected with something else on top, because I see malwarebytes suddenly reports some extra malware that wasn't present before, including a keygen. Keep in mind that cracks and keygens are the main reason why people get infected, so I suggest you stay away from that in the future if you would like to keep your system clean.

Anyway, Combofix and Malwarebytes have taken care of the rest now, so you should be OK. But please run an extra scan with Malwarebytes first and selet to delete what it found, because in above report it shows that no action was taken. Then reboot.

There are also still two files that need to get deleted though..
But I would like to have a sample of them first. We can do this with Combofix, so do next please..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Citaat:Collect::[8]
c:\users\Pavlin\AppData\Local\Ohetutejef.dat
c:\windows\system32\WpdMtpg.dll

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-m...?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[anex]

I have uploaded the zipped file [8]-Submit_2010-08-13_16.49.08

Citaat:ComboFix 10-08-12.03 - Pavlin 08.2010 г. 16:49:14.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1251.359.1033.18.2046.965 [GMT 1:00]
Running from: c:\users\Pavlin\Desktop\soft\Combo-Fix.exe
Command switches used :: c:\users\Pavlin\Desktop\CFScript.txt
* Created a new restore point

file zipped: c:\users\Pavlin\AppData\Local\Ohetutejef.dat
file zipped: c:\windows\system32\WpdMtpg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Pavlin\AppData\Local\Ohetutejef.dat
c:\windows\system32\WpdMtpg.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-13 15:56 . 2010-08-13 15:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-13 15:56 . 2010-08-13 15:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-13 15:47 . 2010-08-13 15:48 -------- d-----w- C:\32788R22FWJFW
2010-08-13 15:44 . 2010-08-13 15:46 -------- d-----w- C:\Combo-Fix24314C
2010-08-13 12:39 . 2010-08-13 15:57 -------- d-----w- c:\users\Pavlin\AppData\Local\temp
2010-08-13 12:19 . 2010-08-13 12:41 -------- d-----w- C:\Combo-Fix
2010-08-12 19:27 . 2010-08-12 19:28 -------- d-----w- c:\program files\QuickTime
2010-08-12 19:27 . 2010-08-12 19:27 -------- d-----w- c:\programdata\Apple Computer
2010-08-12 19:26 . 2010-08-12 19:26 -------- d-----w- c:\program files\Common Files\Apple
2010-08-12 19:25 . 2010-08-12 19:25 -------- d-----w- c:\program files\Apple Software Update
2010-08-12 18:42 . 2010-08-12 18:42 -------- d-----w- c:\program files\CCleaner
2010-08-11 20:33 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 20:33 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-11 19:37 . 2010-08-11 19:37 388096 ----a-r- c:\users\Pavlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-11 19:15 . 2010-08-11 19:37 -------- d-----w- c:\program files\trend micro
2010-08-11 19:15 . 2010-08-11 19:15 -------- d-----w- C:\rsit
2010-08-11 16:47 . 2010-08-11 16:47 -------- d-----w- c:\users\Pavlin\AppData\Roaming\PC Tools
2010-08-11 16:47 . 2010-08-11 16:47 -------- d-----w- c:\programdata\PC Tools
2010-08-11 14:07 . 2010-06-19 06:23 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-08-11 13:26 . 2010-08-11 13:26 -------- d-----w- c:\program files\Common Files\Java
2010-08-11 13:26 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-09 23:11 . 2010-08-09 23:11 -------- d-----w- c:\users\Pavlin\AppData\Local\ESET
2010-08-09 22:39 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-09 22:39 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-08-09 19:57 . 2010-08-09 19:57 35 ----a-w- c:\users\Pavlin\AppData\Roaming\SetValue.bat
2010-08-09 17:45 . 2010-08-13 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 16:56 . 2010-08-13 12:13 -------- d-----w- c:\users\Pavlin\AppData\Roaming\1C5076BBA01C3F73BEB286DEC9A74B75
2010-08-05 21:49 . 2010-08-05 21:49 -------- d-----w- c:\program files\YouTube Downloader
2010-08-01 16:43 . 2010-08-02 03:00 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Workrave
2010-08-01 16:43 . 2010-08-01 16:43 -------- d-----w- c:\program files\Workrave
2010-08-01 01:00 . 2010-08-01 01:03 -------- d-----w- c:\users\Pavlin\AppData\Local\Electronic_Arts_Inc
2010-08-01 01:00 . 2010-08-01 01:00 -------- d-----w- c:\programdata\Electronic Arts
2010-08-01 01:00 . 2010-08-01 01:00 -------- d-----w- c:\program files\Electronic Arts
2010-07-31 22:48 . 2010-07-31 22:48 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-31 22:42 . 2010-07-31 22:42 -------- d-----w- c:\program files\StarCraft II
2010-07-31 22:19 . 2010-07-31 22:48 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-31 22:05 . 2010-07-31 22:05 -------- d-----w- c:\program files\Difference World
2010-07-25 15:10 . 2010-07-25 15:10 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2010-07-24 13:36 . 2010-07-24 13:36 -------- d-----w- c:\program files\Panda Security
2010-07-21 16:27 . 2010-07-21 16:28 -------- d-----w- c:\program files\sXe Injected
2010-07-21 08:47 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-07-21 08:46 . 2009-11-25 11:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 08:46 . 2009-11-25 11:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 08:46 . 2009-11-25 11:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 08:46 . 2009-11-25 11:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 08:46 . 2009-11-25 11:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 08:45 . 2010-07-21 08:45 -------- d-----w- c:\windows\PCHEALTH
2010-07-21 08:44 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 08:41 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 08:41 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 08:41 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 15:23 . 2008-11-23 04:21 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Skype
2010-08-13 15:08 . 2008-11-23 04:21 -------- d-----w- c:\users\Pavlin\AppData\Roaming\skypePM
2010-08-13 12:14 . 2008-11-25 17:10 -------- d-----w- c:\users\Pavlin\AppData\Roaming\uTorrent
2010-08-13 06:49 . 2008-11-25 17:10 -------- d-----w- c:\program files\uTorrent
2010-08-12 18:44 . 2008-11-23 15:18 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Media Player Classic
2010-08-11 17:38 . 2010-08-11 16:47 -------- d-----w- c:\program files\Spyware Doctor
2010-08-11 16:51 . 2010-08-11 16:47 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-11 14:09 . 2008-11-23 13:43 -------- d-----w- c:\programdata\Microsoft Help
2010-08-11 14:07 . 2009-06-29 13:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-11 13:26 . 2009-02-14 02:27 -------- d-----w- c:\program files\Java
2010-08-09 23:12 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-08-09 22:41 . 2008-11-23 13:44 -------- d-----w- c:\program files\Microsoft.NET
2010-08-09 22:03 . 2009-05-23 17:13 -------- d-----w- c:\program files\ESET
2010-08-09 19:57 . 2010-08-09 19:57 691 ----a-w- c:\users\Pavlin\AppData\Roaming\GetValue.vbs
2010-08-07 15:33 . 2010-03-17 12:11 -------- d-----w- c:\users\Pavlin\AppData\Roaming\vlc
2010-08-05 21:51 . 2008-11-23 03:13 -------- d-----w- c:\users\Pavlin\AppData\Roaming\Orbit
2010-07-31 23:22 . 2009-05-07 10:39 -------- d-----w- c:\program files\LogMeIn
2010-07-31 22:42 . 2009-08-13 21:20 67760 ----a-w- c:\users\Pavlin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-31 22:34 . 2010-02-26 22:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-31 22:05 . 2009-03-28 08:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 11:55 . 2008-12-30 19:43 -------- d-----w- c:\program files\ISOBURN
2010-07-29 06:30 . 2010-08-11 14:06 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 14:06 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-20 20:02 . 2010-04-08 23:27 -------- d-----w- c:\program files\Opera
2010-07-04 18:53 . 2010-07-04 18:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-06-30 06:25 . 2010-08-11 14:06 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 09:37 . 2010-06-22 09:37 2316 ----a-w- c:\programdata\xmlF069.tmp
2010-06-22 09:37 . 2010-06-22 09:37 9798 ----a-w- c:\programdata\xmlEDA9.tmp
2010-06-22 09:37 . 2010-06-22 09:37 13757 ----a-w- c:\programdata\xmlEFDC.tmp
2010-06-22 02:47 . 2010-08-11 14:06 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 14:06 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 14:06 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 17:41 . 2008-12-06 21:32 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-19 06:33 . 2010-08-11 14:06 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 14:06 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 04:07 . 2010-08-11 14:06 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 14:06 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 14:06 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-09 16:58 . 2009-05-07 10:39 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 16:58 . 2009-05-07 10:39 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-08 06:02 . 2010-08-11 14:06 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 17:06 . 2010-04-20 08:52 2316 ----a-w- c:\programdata\xmlC7.tmp
2010-06-06 17:06 . 2010-04-20 08:52 9521 ----a-w- c:\programdata\xmlFCA0.tmp
2010-06-06 17:06 . 2010-04-20 08:52 13757 ----a-w- c:\programdata\xml2A.tmp
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RMClock"="c:\program files\RMClock\RMClockLauncher.exe" [2008-02-29 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AVer HID Receiver.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AVer HID Receiver.lnk
backup=c:\windows\pss\AVer HID Receiver.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AVerQuick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AVerQuick.lnk
backup=c:\windows\pss\AVerQuick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-03-17 09:59 3959696 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
2009-02-27 14:04 278016 ----a-w- c:\program files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-24 02:25 133104 ----atw- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-04 16:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2006-11-11 13:35 43128 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 15:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-11 17:51 8530464 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-11 17:51 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-11-11 17:51 86016 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\openvpn-gui]
2005-08-18 08:55 99328 ----a-w- c:\program files\OpenVPN\bin\openvpn-gui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-10-02 05:00 1124352 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workrave]
2009-10-25 10:49 3661312 ----a-w- c:\program files\Workrave\lib\Workrave.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EOlmarikFix;EOlmarikFix;c:\users\Pavlin\AppData\Local\Temp\EOlmalikFixer\EOlmarikFix.sys [x]
R3 HexTunnelDevice;Hexago Multi-Virtual Tunnel Adapter;c:\windows\system32\DRIVERS\hextun.sys [2007-12-20 22176]
R3 Normandy;Normandy SR2; [x]
R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2009-01-11 36928]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe [2009-08-24 93336]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\Drivers\SIVX32.sys [2009-05-15 49656]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TAPTUNV6;TAP/TUN IPv6 Adapter;c:\windows\system32\DRIVERS\tunv6.sys [2004-09-08 20352]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-08-05 91472]
R4 gupdate1c98d16c937e410;Google Update Service (gupdate1c98d16c937e410);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
R4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-08-19 721904]
R4 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-02-11 172328]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys [2009-01-07 20744]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2009-08-05 115856]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2009-08-05 41424]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-11-10 112592]
S2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2009-02-27 143467]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S3 AVerM115S;AVerM115S service;c:\windows\system32\DRIVERS\AVerM115S.sys [2008-05-22 784256]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\Drivers\btnetBus.sys [2008-12-07 30088]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [2009-07-13 9216]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2008-05-22 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2008-05-22 43904]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-05-22 227328]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2009-08-05 99472]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - RTCORE32
*Deregistered* - gpreertg
*Deregistered* - RTCore32
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 13:35]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 13:35]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620979307-3027744262-2862402733-1000Core.job
- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-24 02:25]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620979307-3027744262-2862402733-1000UA.job
- c:\users\Pavlin\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-24 02:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
IE: {{60237576-b24c-4ba9-9740-c9f3ec9db557} - {EAADF17C-B6EA-4511-8549-A67CFD406EAF} - c:\progra~1\SkyCode\WEBTRA~1\wt2ie.dll
TCP: {9534BF29-FC95-4B51-B651-9BC10B91FBAE} = 8.8.8.8,4.3.2.1
TCP: 2656C6B696E6 = 8.8.8.8
TCP: D616273696161383 = 8.8.8.8
FF - ProfilePath - c:\users\Pavlin\AppData\Roaming\Mozilla\Firefox\Profiles\4ztw3pcl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405280&SearchSource=13
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwmsdrm.dll
FF - plugin: c:\users\Pavlin\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Pavlin\AppData\Roaming\Mozilla\Firefox\Profiles\4ztw3pcl.default\extensions\LogMeInClient@l​ogmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpreertg]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Eset\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{B91B4988-2671-4C7A-9B84-5FE9E38EDDE0}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.2.42.0"
"UniqueId"="000ADE1E4C607B49"
"ScannerBuild"=dword:00001ab4
"ScannerVersionId"=dword:00001377
"ScannerVersion"="Open window for status."

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMnetLibSaved\VMnetBridge]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-08-13 17:00:41
ComboFix-quarantined-files.txt 2010-08-13 16:00
ComboFix2.txt 2010-08-13 12:39

Pre-Run: 14 888 759 296 bytes free
Post-Run: 14 839 627 776 bytes free

- - End Of File - - 582EB43B82DCCEFCBA92E8E4968830B9

[miekiemoes]

Hi,

Thanks for the files.

This looks OK again. * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.