Web Browser Opens Up Random Sites?

bp96 · Jan 18, 2010

Firefox, Internet Explorer and Google Chrome open up random sites which are blank most of the time and have a long URL but sometimes some malicious websites open up which are blocked by WOT in Firefox. The sites usually open up every couple of hours at random times. I've scanned my computer with SuperAntispyware, Avast!, A2 and Malwarebytes. None of them have found anything apart from SuperAntispyware which keeps on finding tracking cookies in C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies with names on text files with the word 'ad' inside it. However, the tracking cookies keep on coming back (I don't know if they are the same ones). Any ideas on how to remove this annoying piece of malware?

By the way, I've tried XDelBox/ XDelScan but it did not find anything.

Zen00 · Jan 18, 2010

First, uninstall all anti-spyware/malware/virus programs on your computer.

Next run the Windows Malicious Software Removal Tool

If that doesn't find anything, then download, install, update, and run the Microsoft Security Essentials

If the last doesn't work, then you may have a new bug and need to do a clean install.

Also you could try uninstalling all your browsers and reinstalling them and seeing if it was just a fluke.

Orpheous · Jan 18, 2010

It could be just ad tracking cookies, but it sounds to me more like a browser hijacker.
Can you download and install HijackThis (HijackThis - Trend Micro USA) run and save a logfile, then post back with the logfile attached (paperclip icon).

*WARNING* HijackThis scans your registry, so it's important that you don't delete any random entries with HijackThis. Deleting stuff randomly can and probably will ruin your installation.

Zen00 · Jan 18, 2010

I would have suggested that too, but I don't know how to read the log files.

jav · Jan 18, 2010

Zen00 said:
I would have suggested that too, but I don't know how to read the log files.

You will learn

bp96 · Jan 18, 2010

HijackThis Log:

Code:

 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:15, on 18/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Users\Brijesh Patel\Documents\CoreTemp32\Core Temp.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Brijesh Patel\Desktop\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://www.google.co.uk/"]Google[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Bing[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Core Temp] "C:\Users\Brijesh Patel\Documents\CoreTemp32\Core Temp.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - [URL]http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab[/URL]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB929842-C69D-49F1-BCF1-183BECE4CD17}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB929842-C69D-49F1-BCF1-183BECE4CD17}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{BB929842-C69D-49F1-BCF1-183BECE4CD17}: NameServer = 8.8.8.8,8.8.4.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PskSvcRetailInst - Unknown owner - C:\Users\BRIJES~1\AppData\Local\Temp\ISSCAN\PskSvc.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 6641 bytes

ComboFix Log

ComboFix did not help

Code:

 ComboFix 10-01-17.04 - Brijesh Patel 18/01/2010  17:41:19.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.2038.971 [GMT 0:00]
Running from: c:\users\Brijesh Patel\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-2000478354-725345543-1003
c:\recycler\S-1-5-21-1482476501-2000478354-725345543-1004
c:\windows\system32\OGACheckControl.dll

.
(((((((((((((((((((((((((   Files Created from 2009-12-18 to 2010-01-18  )))))))))))))))))))))))))))))))
.

2010-01-18 11:09 . 2010-01-18 11:09    --------    d-----w-    C:\RootkitNO
2010-01-18 10:51 . 2010-01-18 10:51    2    --shatr-    c:\windows\winstart.bat
2010-01-18 10:50 . 2010-01-18 11:36    --------    d-----w-    c:\program files\UnHackMe
2010-01-18 08:23 . 2010-01-18 08:23    --------    d-----w-    c:\program files\MSXML 4.0
2010-01-17 12:15 . 2010-01-17 12:19    --------    d-----w-    c:\programdata\Pinnacle VideoSpin
2010-01-17 12:15 . 2010-01-17 12:15    --------    d-----w-    c:\program files\Pinnacle
2010-01-17 12:15 . 2010-01-17 12:15    --------    d-----w-    c:\program files\Common Files\Yahoo!
2010-01-17 12:12 . 2010-01-17 12:12    --------    d-----w-    c:\programdata\Pinnacle
2010-01-17 12:08 . 2010-01-17 12:12    --------    d-----w-    c:\users\Brijesh Patel\AppData\Local\Downloaded Installations
2010-01-16 16:41 . 2010-01-18 11:46    --------    d-----w-    c:\users\Brijesh Patel\eee
2010-01-16 16:24 . 2010-01-16 16:24    476512    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
2010-01-16 16:24 . 2010-01-16 16:24    169312    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
2010-01-16 16:24 . 2010-01-16 16:24    128352    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
2010-01-16 16:24 . 2010-01-16 16:24    111968    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
2010-01-16 16:24 . 2010-01-16 16:24    99680    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
2010-01-16 16:24 . 2010-01-16 16:24    230752    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
2010-01-16 16:24 . 2010-01-16 16:24    111968    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
2010-01-16 16:24 . 2010-01-16 16:24    87392    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
2010-01-16 16:24 . 2010-01-16 16:24    140640    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
2010-01-16 16:24 . 2010-01-16 16:24    120160    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
2010-01-16 16:24 . 2010-01-16 16:24    495616    ----a-w-    c:\programdata\RapidSolution\Tunebite_2009\EncodingBackend\lame_enc.dll
2010-01-16 16:23 . 2010-01-16 16:23    --------    d-----w-    c:\program files\PixiePack Codec Pack
2010-01-16 16:20 . 2010-01-16 16:35    --------    d-----w-    c:\program files\RapidSolution
2010-01-16 16:20 . 2010-01-16 16:20    --------    d-----w-    c:\programdata\RapidSolution
2010-01-16 16:20 . 2010-01-16 16:20    --------    d-----w-    c:\users\Brijesh Patel\AppData\Local\RapidSolution
2010-01-16 15:54 . 2009-12-04 12:01    25704    ----a-w-    c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-01-16 15:21 . 2010-01-17 13:52    --------    d-----w-    c:\users\Brijesh Patel\AppData\Local\WMTools Downloaded Files
2010-01-16 15:11 . 2010-01-16 15:11    --------    d-----w-    c:\program files\Movie Maker 2.6
2010-01-16 15:08 . 2010-01-16 15:07    38784    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-16 15:08 . 2010-01-16 15:07    38784    ----a-w-    c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-16 15:08 . 2010-01-16 15:08    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-01-16 12:10 . 2010-01-16 13:59    --------    d-----w-    c:\program files\PowerMenu
2010-01-13 18:52 . 2010-01-13 18:52    --------    d-----w-    c:\program files\Lavasoft
2010-01-13 16:46 . 2010-01-13 16:46    6944624    ----a-w-    c:\programdata\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2010-01-13 16:44 . 2010-01-13 16:46    --------    d-----w-    c:\programdata\Lavasoft
2010-01-13 15:53 . 2010-01-13 17:16    --------    d-----w-    c:\program files\FreeTime
2010-01-13 15:53 . 2009-10-19 14:10    108544    ----a-w-    c:\windows\system32\t2embed.dll
2010-01-13 15:53 . 2009-10-19 14:10    70656    ----a-w-    c:\windows\system32\fontsub.dll
2010-01-11 20:05 . 2010-01-11 20:05    37920    ----a-w-    c:\windows\system32\drivers\tbhsd.sys
2010-01-11 16:30 . 2010-01-11 16:32    --------    d-----w-    c:\users\Brijesh Patel\AppData\Local\Adobe
2010-01-10 12:39 . 2010-01-10 12:39    --------    d-----w-    c:\program files\Common Files\logishrd
2010-01-10 12:09 . 2009-11-24 23:49    48560    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2010-01-10 12:09 . 2009-11-24 23:48    23120    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2010-01-10 12:08 . 2009-11-24 23:50    114768    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2010-01-10 12:08 . 2009-11-24 23:50    20560    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2010-01-10 12:08 . 2009-11-24 23:47    97480    ----a-w-    c:\windows\system32\AvastSS.scr
2010-01-10 12:08 . 2009-11-24 23:54    1280480    ----a-w-    c:\windows\system32\aswBoot.exe
2010-01-10 12:08 . 2009-11-24 23:49    53328    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2010-01-10 12:02 . 2010-01-10 12:03    --------    d-----w-    c:\windows\$regcmp$
2010-01-10 09:10 . 2010-01-07 16:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 09:10 . 2010-01-10 09:10    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-01-10 09:10 . 2010-01-07 16:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-09 16:55 . 2010-01-09 16:55    --------    d-----w-    c:\programdata\F-Secure
2010-01-09 15:46 . 2010-01-09 15:47    --------    d-----w-    C:\SDFix
2010-01-09 15:30 . 2010-01-10 11:51    13896    ----a-w-    c:\windows\system32\drivers\hitmanpro35.sys
2010-01-09 15:29 . 2010-01-09 15:33    --------    d-----w-    c:\programdata\Hitman Pro
2010-01-09 15:29 . 2010-01-09 15:29    --------    d-----w-    c:\program files\Hitman Pro 3.5
2010-01-09 14:26 . 2010-01-09 14:28    --------    d-sh--w-    c:\users\Brijesh Patel\.COMMgr
2010-01-03 16:26 . 2008-01-21 07:54    485376    ----a-w-    c:\windows\system32\mspaint.exe
2010-01-01 13:14 . 2010-01-01 13:15    --------    d-----w-    c:\program files\SpeedBit Video Accelerator
2009-12-24 13:24 . 2009-12-24 13:24    --------    d-----w-    c:\programdata\Sony Corporation
2009-12-24 11:58 . 2009-12-24 12:01    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\ImgBurn
2009-12-24 11:38 . 2009-12-24 11:38    --------    d-----w-    c:\program files\ImgBurn
2009-12-22 13:53 . 2009-12-22 13:53    --------    d-----w-    c:\users\Brijesh Patel\AppData\Local\Yahoo
2009-12-22 13:53 . 2009-12-22 13:53    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\Yahoo!
2009-12-22 13:43 . 2009-12-22 13:43    --------    d-----w-    c:\programdata\Yahoo!
2009-12-22 13:43 . 2009-11-10 16:08    607544    ----a-w-    c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-12-22 13:40 . 2009-12-22 13:43    --------    d-----w-    c:\program files\Yahoo!

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 10:50 . 2009-10-24 17:44    --------    d-----w-    c:\program files\Java
2010-01-18 09:03 . 2009-10-24 17:30    117760    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-17 17:53 . 2009-10-24 18:30    115096    ----a-w-    c:\users\Other Users\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-17 17:46 . 2009-10-25 17:43    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\vlc
2010-01-17 12:19 . 2009-10-24 16:54    115096    ----a-w-    c:\users\Brijesh Patel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-14 16:52 . 2009-10-24 17:28    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2010-01-13 16:15 . 2009-12-18 08:53    52224    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 16:13 . 2009-12-05 21:21    --------    d-----w-    c:\program files\a-squared Free
2010-01-13 15:58 . 2009-10-25 07:38    --------    d-----w-    c:\programdata\Microsoft Help
2010-01-10 15:08 . 2009-10-26 17:07    --------    d-----w-    c:\programdata\SpeedBit
2010-01-10 14:56 . 2009-10-24 17:47    --------    d-----w-    c:\program files\Mp3tag
2010-01-10 14:55 . 2009-10-24 17:47    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\Mp3tag
2010-01-10 13:01 . 2010-01-10 12:39    0    ----a-w-    c:\windows\system32\drivers\lvuvc.hs
2010-01-09 21:33 . 2009-12-10 08:10    --------    d-----w-    c:\program files\SpywareBlaster
2010-01-09 13:51 . 2009-10-24 17:52    --------    d-----w-    c:\program files\AviSynth 2.5
2010-01-03 12:38 . 2009-07-13 23:40    249856    ----a-w-    c:\windows\system32\uxtheme.dll
2010-01-03 12:38 . 2009-07-13 23:39    2755072    ----a-w-    c:\windows\system32\themeui.dll
2010-01-03 12:38 . 2009-07-13 23:39    37376    ----a-w-    c:\windows\system32\themeservice.dll
2009-12-30 10:35 . 2009-10-24 17:15    --------    d-----w-    c:\program files\BatteryBar
2009-12-30 10:35 . 2009-10-24 17:16    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\BatteryBar
2009-12-26 15:01 . 2009-10-24 17:37    --------    d-----w-    c:\program files\Google
2009-12-24 18:29 . 2009-10-25 16:01    --------    d-----w-    c:\program files\Sony
2009-12-24 13:24 . 2009-10-25 16:28    --------    d--h--w-    c:\program files\InstallShield Installation Information
2009-12-19 14:31 . 2009-10-24 18:03    --------    d-----w-    c:\program files\The KMPlayer
2009-12-18 16:35 . 2009-12-18 16:34    --------    d-----w-    c:\program files\QuickTime
2009-12-18 16:34 . 2009-12-18 16:34    --------    d-----w-    c:\programdata\Apple Computer
2009-12-16 20:12 . 2009-11-16 18:20    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\ICAClient
2009-12-12 10:18 . 2009-12-12 10:18    --------    d-----w-    c:\program files\Gameloft
2009-12-11 17:42 . 2009-12-11 17:42    0    ----a-w-    c:\programdata\RapidSolution\GUIcommon.dll
2009-12-11 15:59 . 2009-12-11 15:59    --------    d-----w-    c:\program files\ThreatFire
2009-12-11 15:59 . 2009-12-11 15:59    --------    d-----w-    c:\programdata\PC Tools
2009-12-04 19:00 . 2009-12-04 19:00    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\Ashampoo
2009-11-29 15:18 . 2009-11-29 15:18    444952    ----a-w-    c:\windows\system32\wrap_oal.dll
2009-11-29 15:18 . 2009-11-29 15:18    --------    d-----w-    c:\program files\OpenAL
2009-11-29 15:18 . 2009-11-29 15:18    109080    ----a-w-    c:\windows\system32\OpenAL32.dll
2009-11-28 17:11 . 2009-11-28 17:11    138240    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-11-28 17:11 . 2009-11-28 17:11    138240    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-11-28 17:11 . 2009-11-28 17:11    138240    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-11-28 17:11 . 2009-11-28 17:11    138240    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-11-28 17:11 . 2009-10-29 10:24    --------    d-----w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab
2009-11-28 13:14 . 2009-11-28 13:01    --------    d-----w-    c:\program files\Opera
2009-11-26 19:14 . 2009-11-26 19:14    --------    d-----w-    c:\program files\Auslogics
2009-11-26 17:15 . 2009-11-26 17:15    --------    d-----w-    c:\program files\Citrix
2009-11-23 12:49 . 2009-12-11 15:59    59664    ----a-w-    c:\windows\system32\drivers\TfSysMon.sys
2009-11-23 12:49 . 2009-12-11 15:59    33552    ----a-w-    c:\windows\system32\drivers\TfNetMon.sys
2009-11-23 12:49 . 2009-12-11 15:59    51984    ----a-w-    c:\windows\system32\drivers\TfFsMon.sys
2009-11-17 07:45 . 2009-11-17 07:45    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_d_ind.dll
2009-11-17 07:45 . 2009-11-17 07:45    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_c_ind.dll
2009-11-17 07:45 . 2009-11-17 07:45    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_b_ind.dll
2009-11-17 07:45 . 2009-11-17 07:45    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_a_ind.dll
2009-11-15 08:53 . 2009-11-15 08:53    20480    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
2009-11-15 08:53 . 2009-11-15 08:53    18944    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
2009-11-15 08:53 . 2009-11-15 08:53    17408    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
2009-11-15 08:53 . 2009-11-15 08:53    8192    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2009-11-15 08:53 . 2009-11-15 08:53    20480    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
2009-11-02 20:42 . 2009-12-13 18:33    195456    ------w-    c:\windows\system32\MpSigStub.exe
2009-10-29 10:24 . 2009-10-29 10:24    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_d_ind.dll
2009-10-29 10:24 . 2009-10-29 10:24    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_c_ind.dll
2009-10-29 10:24 . 2009-10-29 10:24    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_b_ind.dll
2009-10-29 10:24 . 2009-10-29 10:24    247296    ----a-w-    c:\users\Brijesh Patel\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_9_0_a_ind.dll
2009-10-29 07:22 . 2009-11-24 19:19    2048    ----a-w-    c:\windows\system32\tzres.dll
2009-10-25 13:53 . 2009-10-25 13:53    720896    ----a-w-    c:\windows\iun6002.exe
2009-10-24 17:13 . 2009-10-24 17:13    0    ----a-w-    c:\windows\nsreg.dat
2009-06-10 21:26 . 2009-07-14 02:04    9633792    --sha-r-    c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42    396800    --sha-w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\users\Brijesh Patel\Documents\CoreTemp32\Core Temp.exe" [2009-10-24 378384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-11-23 378128]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Brijesh Patel^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\users\Brijesh Patel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk
backup=c:\windows\pss\PowerMenu.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08    35696    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-11 17:15    173592    ----a-w-    c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-11 17:15    141848    ----a-w-    c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 16:07    1394000    ----a-w-    c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 15:39    5244216    ----a-w-    c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-11 17:15    150552    ----a-w-    c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08    417792    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-06-26 00:39    4489216    ----a-w-    c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-26 00:39    1826816    ----a-w-    c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17    149280    ----a-w-    c:\program files\Java\jre6\bin\jusched.exe

R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [11/12/2009 15:59 51984]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [11/12/2009 15:59 59664]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [10/01/2010 12:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 20:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 20:24 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [05/12/2009 21:21 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [10/01/2010 12:08 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [10/01/2010 12:08 53328]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [26/10/2009 17:57 6000640]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 20:24 7408]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [03/08/2007 5:36 9344]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [13/07/2009 22:13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [13/07/2009 22:13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [13/07/2009 22:13 661504]
R3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [11/12/2009 15:59 33552]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [24/10/2009 16:13 812544]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\System32\drivers\WsAudio_DeviceS(1).sys [16/01/2010 15:54 25704]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13/07/2009 22:02 311296]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24/10/2009 17:37 133104]
S2 PskSvcRetailInst;PskSvcRetailInst;c:\users\BRIJES~1\AppData\Local\Temp\ISSCAN\PskSvc.exe --> c:\users\BRIJES~1\AppData\Local\Temp\ISSCAN\PskSvc.exe [?]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 16:32    8192    ----a-w-    c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 17:37]

2010-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 17:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
TCP: {BB929842-C69D-49F1-BCF1-183BECE4CD17} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Brijesh Patel\AppData\Roaming\Mozilla\Firefox\Profiles\5xaz82fm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.co.uk/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-BCSSync - c:\program files\Microsoft Office\Office14\BCSSync.exe
MSConfigStartUp-GrooveMonitor - c:\progra~1\MIF5BA~1\Office14\GROOVEMN.EXE



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x859A0841]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
 SecurityProcedure -> 0x84cade88
 QueryNameProcedure -> 0x84cad018
user & kernel MBR OK 

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,1c,11,cd,36,a4,8e,4f,aa,c8,da,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,1c,11,cd,36,a4,8e,4f,aa,c8,da,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \BBC]
"Order"=hex:08,00,00,00,02,00,00,00,dc,02,00,00,01,00,00,00,05,00,00,00,92,00,
   00,00,00,00,00,00,84,00,32,00,cd,00,00,00,00,bf,f7,e9,20,00,42,42,43,2d,42,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \Bookmarks bar]
"Order"=hex:08,00,00,00,02,00,00,00,9c,05,00,00,01,00,00,00,0d,00,00,00,7e,00,
   00,00,00,00,00,00,70,00,32,00,cd,00,00,00,00,61,f6,a9,20,00,43,41,4c,4c,4f,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \Other]
"Order"=hex:08,00,00,00,02,00,00,00,6c,00,00,00,01,00,00,00,01,00,00,00,60,00,
   00,00,00,00,00,00,52,00,31,00,00,00,00,00,00,9e,10,65,10,00,45,79,65,73,69,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \Other\Eyesight]
"Order"=hex:08,00,00,00,02,00,00,00,dc,07,00,00,01,00,00,00,0a,00,00,00,bc,00,
   00,00,00,00,00,00,ae,00,32,00,cd,00,00,00,00,90,52,a8,20,00,41,4e,44,52,45,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \PC]
"Order"=hex:08,00,00,00,02,00,00,00,bc,0e,00,00,01,00,00,00,16,00,00,00,c6,00,
   00,00,14,00,00,00,b8,00,32,00,cd,00,00,00,00,57,89,8c,20,00,5f,54,4f,4f,4c,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \PSP]
"Order"=hex:08,00,00,00,02,00,00,00,b2,00,00,00,01,00,00,00,01,00,00,00,a6,00,
   00,00,00,00,00,00,98,00,32,00,cd,00,00,00,00,e4,b4,8c,20,00,47,41,4d,45,57,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\I*m*p*o*r*t*e*d* \YouTube]
"Order"=hex:08,00,00,00,02,00,00,00,7c,03,00,00,01,00,00,00,06,00,00,00,82,00,
   00,00,00,00,00,00,74,00,32,00,cd,00,00,00,00,b3,13,9e,20,00,42,45,53,54,59,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\O*t*h*e*r* \Eyesight]
"Order"=hex:08,00,00,00,02,00,00,00,dc,07,00,00,01,00,00,00,0a,00,00,00,bc,00,
   00,00,00,00,00,00,ae,00,32,00,cd,00,00,00,00,5a,9b,20,20,00,41,4e,44,52,45,\

[HKEY_USERS\S-1-5-21-496605846-828089313-3777899986-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\P*C* ]
@Allowed: (Read) (RestrictedCode)
@SACL=(02 0001)
"Order"=hex:08,00,00,00,02,00,00,00,0e,0f,00,00,01,00,00,00,16,00,00,00,a2,00,
   00,00,03,00,00,00,94,00,32,00,cd,00,00,00,00,42,cf,5e,20,00,41,44,42,4c,4f,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\ThreatFire\TFWAH.dll
c:\windows\system32\MPR.dll

- - - - - - - > 'lsass.exe'(540)
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\program files\SpeedBit Video Accelerator\CommPipe.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll
c:\program files\ThreatFire\TFWAH.dll
c:\windows\system32\psbase.dll
.
Completion time: 2010-01-18  18:01:18
ComboFix-quarantined-files.txt  2010-01-18 18:01

Pre-Run: 123,391,926,272 bytes free
Post-Run: 123,737,174,016 bytes free

- - End Of File - - 1075F4874AF0E2C1274270529424340C

jav · Jan 18, 2010

can you please put tags to the log:

HTML:

[CODE] your log [/CODE]

Looks fine for me... :thumbsup:

But wait for the response of the more experienced user with Hijack logs.

P.S. you are using google DNS?

Orpheous · Jan 18, 2010

Looks like you've been running quite a few different scans lately hey?
There's nothing too suspicious in there
(although I'm still not too sure about the three similar entries like this one: O17 - HKLM\System\CCS\Services\Tcpip\..\{BB929842-C69D-49F1-BCF1-183BECE4CD17}: NameServer = 8.8.8.8,8.8.4.4
Perhaps just something to do with Google products?)

Anyway, Do a full system scan in safe mode with MalwareBytes Antimalware, then SuperAntiSpyware just to be sure. Reboot, then download and install CCleaner. Run CCleaner, then run the registry scan and clean with it. Repeat the registry scan until either there are no entries found, or there is only 1.

The following are unnecessary entries and can be fixed with HJT:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

bp96 · Jan 18, 2010

@jav
yes, i am using google dns- should i disable it?
@Zen00
windows malicious removal tool did not detect anything and neither did microsoft security essentials.

Orpheous · Jan 18, 2010

Oh, forgot to mention... If you're using the free version of SuperAntiSpyware, you can stop it from loading at system startup as it's not a real time scanner. The settings to turn it off are somewhere in SAS, or you can just use CCleaner, tools - startup - disable

Then just use it "on demand" after updating

jav · Jan 18, 2010

Orpheous said:
(although I'm still not too sure about the three similar entries like this one: O17 - HKLM\System\CCS\Services\Tcpip\..\{BB929842-C69D-49F1-BCF1-183BECE4CD17}: NameServer = 8.8.8.8,8.8.4.4
Perhaps just something to do with Google products?)

Google DNS...

bp96 said:
@jav
yes, i am using google dns- should i disable it?

no need, asked just to make sure..

Orpheous · Jan 18, 2010

I did a quick whois lookup shortly after posting that, but I'm glad you confirmed it as safe

HJT looked clean to me too, but with all of the security products that he has installed, I figured it'd be best to run a couple of scans in safe mode in case thay're conflicting or hiding things.
Tried to rep you by the way, but I need to spread more around first, so I owe you one

jav · Jan 19, 2010

Actuallt I don't think you have a problem with Malware on your system.

In my opinion it's just pop-ups. (do they happen when you open new pages, or navigate?)
It seems that Some of sites you visit regularly has to many popups, it doesn't necessary mean that site is malicious. It may be just free hosting and pop-up ads.

Orpheous said:
I did a quick whois lookup shortly after posting that, but I'm glad you confirmed it as safe
HJT looked clean to me too, but with all of the security products that he has installed, I figured it'd be best to run a couple of scans in safe mode in case thay're conflicting or hiding things.
Tried to rep you by the way, but I need to spread more around first, so I owe you one

With your knowledge, Soon I will owe you one

bp96 · Jan 19, 2010

The popups open up when I just navigate. They don't happen when I stay on a certain webpage for a certain amount of time, like watching a 10 minute video, then watching another video afterwards etc. BTW, why are some of the popups said malicious and blocked by WOT. If I get a popup again, I'll post a screenshot.

jav · Jan 19, 2010

As I said, it's not a problem with malware on your system.
It is a problem with those site, they have too many popups.
Mainly popups used for advertising, but they might be malicious aswell that's why they a blocked sometimes.

hackerman1 · Jan 19, 2010

hi !

Zen00 said:
First, uninstall all anti-spyware/malware/virus programs on your computer.

Next run the Windows Malicious Software Removal Tool

If that doesn't find anything, then download, install, update, and run the Microsoft Security Essentials

If the last doesn't work, then you may have a new bug and need to do a clean install.

Also you could try uninstalling all your browsers and reinstalling them and seeing if it was just a fluke.

why uninstall all anti-spyware/malware/virus programs ???
if he has scanned with several programs including a2 & MBAM, and nothing was found, then most probably the computer is clean....
sure he can run MRT (and MSE), but that doesn´t mean he has to uninstall anything does it ?
if there are any conflicts, then just temporarily disable those resident scanners,
i have fx. Avira, MSE & Avast installed but disabled, at the moment i´m just running a2
as i wanted to see if there are any differences in performance.

im running W7, and since you fx. can´t rename Avira´s folders & also not disable
it´s processes in services when it´s running, i used a little trick, i rebooted and started Vista, then i renamed their folders so they doesn´t start.

regarding those blank windows, i also get a few of them when i visit some websites with a lot of popups /ads.
since i´m using both a2´s website blocking and a HOSTS-file, i also get an errormessage from Firefox saying that it can´t connect to those URL´s.

so this has most probably nothing to do with any malware.

Orpheous · Jan 19, 2010

You could either find an alternative, clean site with less pop ups, try using a pop up blocker (which I wouldn't recommend, you already have enouh running!) or, try blocking your cookies.
Here's a decent write up on how to block in IE, and another for Firefox.
Something else you might like to try is creating your own blocklist. All you'd need to do is go through your security product logfiles (MBAM works well for this) and find the tracking cookies. Using the two links above, add each website to your blocklist.

bp96 · Jan 19, 2010

I don't think I'll need to do that because I am using SpywareBlaster which should have taken care of it.
Anyway, I think IT IS MALWARE because look at this video:
http://tinypic.com/player.php?v=xmvrbr&s=6

I'm getting popups and redirects

bp96 · Jan 19, 2010

Please look at this video:
Video - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

Orpheous · Jan 19, 2010

Have you done the SAS & MBAM scans in safe mode? What were the results?

Web Browser Opens Up Random Sites?

New member

My Computer

New member

My Computer

New member

My Computer

New member

My Computer

Security Enthusiast

My Computer

New member

My Computer

Security Enthusiast

My Computer

New member

My Computer

New member

My Computer

New member

My Computer

Security Enthusiast

My Computer

New member

My Computer

Security Enthusiast

My Computer

New member

My Computer

Security Enthusiast

My Computer

New member

My Computer

New member

My Computer

New member

My Computer

New member

My Computer

New member

My Computer

Similar threads