Foatuog & Riisoe.exe?

View previous topic View next topic Go down

Foatuog & Riisoe.exe?

Post by Tonky on 10th January 2010, 2:54 pm

Hey guys.

Was referred here by a friend who had a look at this and was stumped.

I recently downloaded a Torrent ("Avatar.soundtrack.torrent.45026").
Inside the downloaded file were some unwanted presents. Along with the music were folders to be extracted that were labelled as 'screensavers'. Curiousity really did kill the cat on this one as I extracted and opened them to check them out. As I opened them Spybot immediatly picked up on registry values trying to be changed and asked me what to do. Being drunk and being me I naturally had a giggle at the names and clicked 'allow'. 'Foatuog' and 'Riisoe.exe' were granted access before Avast! started catching viruses, after that I stopped letting spybot grant registry access.
The 9 viruses that Avast! stopped were:
Win32:Bredolab-BK [Trj]
Win32:Trojan-gen (x7)
Win32:Rootkit-gen [Rtk]
(Taken from: Control Panel>Admin tools>Event Viewer> Antivirus)

I have used Avast! to scan, and Sptbot scan, however Spybot won't update because, ironicly, it's been infected by malware (go figure). Both came up clean.


Now, here's the issue. Google and Virus databases have nothing on these two files. Riisoe hides in my (CTRL+ALT+Del) processes list and chews up between 40 - 55% of my CPU. I can also no longer manually terminate processes in there. I havn't noticed anything else related to this.

Foatuog is sitting in my startup registries. I can see him but I can't kill him. Both Ccleaner and MSconfig aren't able to disable him (either he won't disable/delete at all, or a new one pops up, or he just turns itself back on (*giggles* ahh im so immature..))

In addition to this, whenever I close down internet explorer, I get two error message popping up.
(will edit this post when i have details on these)

Starting up my computer this evening, Avast! found two viruses in my temp internet files. I have a feeling I have a virus (one of these two or an undetected one) which is downloading more viruses onto my computer.


EDIT: Ok, reset my PC after making this post. The same two viruses were discovered by Avast! again, but Riisoe.exe is absent from my Processes list (normally a 'yay' moment, but I'm pretty sure I had nothing to do with his disappearance).
Viruses Found: (From: Control Panel>Admin Tools>Event Viewer> Antivirus)

Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Simon\iexplore.exe" file. (this is re-occurring)
Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\QKR3W80J\ObObKs[1]" file.
Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\PQ8GFTEJ\5zkoMa[1]" file.
Sign of "Win32:Malware-gen" has been found in "C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\ZJ0Y5WHL\t0Cu3D[1]" file.

/Edit



----------
MalwareBytes scan Results: (I removed all these, but maybe this might help?)


HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\tm (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Simon\Start Menu\Programs\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\videoplay\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Simon\Start Menu\Programs\videoplay\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.



----------
HijackThis Results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:05 AM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Simon\Application Data\IMVUClient\imvuqualityagent.exe
C:\Documents and Settings\Simon\Application Data\IMVUClient\IMVUClient.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Simon\My Documents\winlogon.scr
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [foatuog] C:\Documents and Settings\Simon\foatuog.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Simon\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8964 bytes

---------

Thanks in advance guys, I hope there's enough info here.


Last edited by Tonky on 10th January 2010, 3:21 pm; edited 6 times in total (Reason for editing : Updated info)

Tonky
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-10
OS OS : Windows XP
Points Points : 25303
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Belahzur on 10th January 2010, 7:21 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Tonky on 11th January 2010, 6:57 am

Ack! I Downloaded Combofix, followed al lthe instructions, but when I tried to start it up it caused my Sunbelt Firewall to flood my PC with alerts, then died. It did this 3 times and hasn't done anything except spam me with these firewall messages.

Tonky
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-10
OS OS : Windows XP
Points Points : 25303
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Origin on 11th January 2010, 7:01 am

Please disable your Anti Virus along with your firewall for the moment and run ComboFix.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Tonky on 11th January 2010, 7:02 am

Alright, I had my AV disabled the first few times, didn't realise the firewall could interfere with it though.

Tonky
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-10
OS OS : Windows XP
Points Points : 25303
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Origin on 11th January 2010, 7:07 am

Ok, reply back with your log once finished.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Tonky on 11th January 2010, 8:27 am

----------
ComboFix Log:

ComboFix 10-01-04.01 - Simon 01/11/2010 18:06:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1488 [GMT 10:00]
Running from: c:\documents and settings\Simon\My Documents\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100110-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Simon\foatuog.exe
c:\documents and settings\Simon\riisoe.exe
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-10 19:34 . 2010-01-10 19:37 -------- d-----w- C:\Combo-Fix
2010-01-10 14:24 . 2010-01-10 14:24 -------- d-----w- c:\documents and settings\Simon\Application Data\Malwarebytes
2010-01-10 14:24 . 2010-01-07 06:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-10 14:24 . 2010-01-10 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-10 14:24 . 2010-01-10 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 14:24 . 2010-01-07 06:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-10 14:18 . 2010-01-10 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-09 23:18 . 2010-01-09 23:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-01-07 19:53 . 2010-01-08 01:31 -------- d-----w- c:\program files\MP3Gain
2009-12-29 00:08 . 2009-12-29 00:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-29 00:08 . 2009-12-29 00:08 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-29 00:08 . 2009-12-29 00:08 -------- d-----w- c:\program files\Norton Security Scan
2009-12-29 00:07 . 2009-12-29 00:07 -------- d-----w- c:\program files\NortonInstaller
2009-12-29 00:02 . 2009-12-29 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-29 00:02 . 2009-12-29 00:02 -------- d-----w- c:\program files\MilkShape 3D 1.8.2
2009-12-23 04:20 . 2009-12-29 00:00 -------- d-----w- c:\program files\AudioLabel
2009-12-23 04:20 . 2009-12-23 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-12-22 17:46 . 2009-12-29 00:03 -------- d-----w- c:\documents and settings\Simon\AdobeLicensingFilesBackup
2009-12-22 15:41 . 2009-12-22 15:41 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-22 03:12 . 2009-12-29 00:06 -------- d-----w- c:\program files\Adobe Media Player
2009-12-21 05:14 . 2009-12-21 05:14 -------- d-----w- c:\documents and settings\Simon\Application Data\Acoustica
2009-12-19 08:55 . 2009-12-20 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-19 08:55 . 2009-12-19 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-19 08:55 . 2009-12-19 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-17 21:54 . 2009-12-17 21:54 -------- d-----w- c:\documents and settings\Simon\Application Data\com.posecentral.desktop.9D15AF0ED62CD4090CF3D4016683952239AB581E.1
2009-12-17 21:54 . 2009-12-17 21:54 -------- d-----w- c:\program files\PoseCentral
2009-12-17 21:54 . 2009-12-17 21:54 -------- d-----w- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 08:03 . 2009-11-14 16:59 -------- d-----w- c:\documents and settings\Simon\Application Data\WTablet
2010-01-11 08:02 . 2009-11-27 04:42 -------- d-----w- c:\program files\Steam
2010-01-11 07:38 . 2009-09-24 12:57 -------- d-----w- c:\documents and settings\Simon\Application Data\IMVU
2010-01-10 14:18 . 2010-01-10 14:18 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-09 23:33 . 2009-03-15 14:57 1 ----a-w- c:\documents and settings\Simon\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-09 07:45 . 2009-02-03 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-07 20:12 . 2008-10-30 13:38 -------- d-----w- c:\documents and settings\Simon\Application Data\uTorrent
2010-01-06 03:49 . 2009-03-29 02:18 -------- d-----w- c:\program files\WoW
2009-12-30 02:24 . 2008-10-28 22:20 48176 ----a-w- c:\documents and settings\Simon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 00:39 . 2009-09-24 12:57 76774 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\Uninstall.exe
2009-12-29 00:38 . 2009-09-24 12:56 -------- d-----w- c:\documents and settings\Simon\Application Data\IMVUClient
2009-12-29 00:06 . 2008-10-27 11:16 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-23 20:55 . 2009-06-22 23:03 -------- d-----w- c:\program files\Google
2009-12-22 22:21 . 2008-10-25 15:51 -------- d-----w- c:\program files\CCleaner
2009-12-21 19:36 . 2009-12-21 19:36 92192 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\IMVUupdater.exe
2009-12-21 19:36 . 2009-12-21 19:36 52992 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\IMVUClient.exe
2009-12-21 19:36 . 2009-12-21 19:36 21760 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\imvuqualityagent.exe
2009-12-21 19:33 . 2009-12-21 19:33 121856 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\WriteMiniDump.exe
2009-12-21 19:31 . 2009-12-21 19:31 1222144 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\SceneWindow.dll
2009-12-21 19:31 . 2009-12-21 19:31 45568 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\npvivoxproxy.dll
2009-12-21 19:31 . 2009-12-21 19:31 54784 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\nphwndproxy.dll
2009-12-21 19:31 . 2009-12-21 19:31 16896 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\MemoryHook.dll
2009-12-21 19:30 . 2009-12-21 19:30 320000 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\cal3d.dll
2009-12-21 19:29 . 2009-12-21 19:29 198656 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\boost_python.dll
2009-12-21 19:29 . 2009-12-21 19:29 29184 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\CallStack.dll
2009-12-21 19:29 . 2009-12-21 19:29 260096 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\audiere.dll
2009-12-19 18:33 . 2009-06-22 23:03 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-19 08:16 . 2009-06-22 23:03 -------- d-----w- c:\program files\DivX
2009-12-17 21:51 . 2010-01-10 14:19 38784 ----a-w- c:\documents and settings\Simon\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-12-17 21:51 . 2009-12-17 21:54 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-12-17 19:55 . 2009-04-05 14:29 -------- d-----w- c:\program files\Diablo II
2009-12-17 18:05 . 2009-12-17 18:05 7491728 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\1VivoxVoice.exe
2009-12-17 18:05 . 2009-12-17 18:05 4924048 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\vivoxsdk.dll
2009-12-17 18:05 . 2009-12-17 18:05 353424 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\npvivoxvoiceplugin.dll
2009-12-17 18:05 . 2009-12-17 18:05 330896 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\libsndfile-1.dll
2009-12-17 18:05 . 2009-12-17 18:05 275088 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\vivoxoal.dll
2009-12-17 18:05 . 2009-12-17 18:05 246416 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ortp.dll
2009-12-17 18:05 . 2009-12-17 18:05 1034896 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\dbghelp.dll
2009-12-03 05:05 . 2009-10-16 15:10 24372192 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\installer\SetupImvu_update.exe
2009-12-03 02:55 . 2008-10-25 15:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-01 23:58 . 2009-12-01 23:58 7490192 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\VivoxVoiceManager.exe
2009-12-01 23:58 . 2009-12-01 23:58 5005968 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\vivoxsdk.dll
2009-12-01 23:58 . 2009-12-01 23:58 345744 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\npvivoxvoiceplugin.dll
2009-12-01 23:58 . 2009-12-01 23:58 329872 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\libsndfile-1.dll
2009-12-01 23:58 . 2009-12-01 23:58 283280 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\vivoxoal.dll
2009-12-01 23:58 . 2009-12-01 23:58 246416 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\ortp.dll
2009-12-01 23:58 . 2009-12-01 23:58 184832 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\ssleay32.dll
2009-12-01 23:58 . 2009-12-01 23:58 1034896 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\DbgHelp.dll
2009-12-01 23:58 . 2009-12-01 23:58 1006080 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\libeay32.dll
2009-12-01 11:06 . 2008-11-26 00:54 -------- d-----w- c:\program files\Java
2009-12-01 11:05 . 2009-12-01 11:05 152576 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 11:04 . 2009-12-01 11:04 79488 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-01 02:38 . 2009-12-01 02:38 1006080 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\libeay32.dll
2009-12-01 02:38 . 2009-12-01 02:38 184832 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ssleay32.dll
2009-11-26 08:29 . 2009-11-26 08:29 -------- d-----w- c:\program files\JRE
2009-11-26 08:29 . 2009-03-15 14:55 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-25 03:59 . 2009-08-25 09:18 -------- d-----w- c:\program files\Warcraft III
2009-11-24 23:54 . 2009-01-17 23:18 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-01-17 23:18 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-01-17 23:18 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-01-17 23:18 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-01-17 23:18 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-01-17 23:18 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-01-17 23:18 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-01-17 23:18 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-01-17 23:18 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-22 05:06 . 2009-05-26 05:20 38 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences.dat
2009-11-22 05:04 . 2009-09-03 05:53 63 ----a-w- c:\documents and settings\Simon\jagex_runescape_preferences2.dat
2009-11-14 07:41 . 2009-11-14 07:11 -------- d-----w- c:\program files\Tablet
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-13 05:07 . 2009-11-13 05:07 77824 ----a-w- c:\documents and settings\Simon\Application Data\PirateGalaxy\gamedata\tk_EXT2.dll
2009-11-13 05:06 . 2009-11-13 05:05 -------- d-----w- c:\documents and settings\Simon\Application Data\PirateGalaxy
2009-11-13 05:06 . 2009-11-13 05:05 947826 ----a-w- c:\documents and settings\Simon\Application Data\PirateGalaxy\Launcher.exe
2009-11-12 23:27 . 2009-11-12 23:27 3771296 ----a-w- c:\documents and settings\Simon\Application Data\IMVUClient\ui\plugins\npswf32.dll
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 07:49 . 2009-10-17 07:49 21028 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Steam"="c:\program files\steam\steam.exe" [2009-11-30 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-19 16858112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 13520896]
"nwiz"="nwiz.exe" [2008-03-11 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NoIE4StubProcessing"="c:\windows\system32\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-6 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 13:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoIE4StubProcessing]
c:\windows\system32\reg.exe DELETE HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-02 18:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 15:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-10 18:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-19 15:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SbPF.Launcher"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"gupdate1c9f38dbfe7bdc6"=2 (0x2)
"gusvc"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:3724 - wow
"6112:TCP"= 6112:TCP:6112 - wow
"6881:TCP"= 6881:TCP:6881 - wow
"6999:TCP"= 6999:TCP:6999 - wow
"58628:TCP"= 58628:TCP:Pando Media Booster
"58628:UDP"= 58628:UDP:Pando Media Booster
"1500:UDP"= 1500:UDP:1500 - MW2
"3005:UDP"= 3005:UDP:3005 - MW2
"3101:UDP"= 3101:UDP:3101 - MW2
"28960:UDP"= 28960:UDP:28960 - MW2

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/18/2009 9:18 AM 114768]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2/3/2009 11:22 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/18/2009 9:18 AM 20560]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [10/13/2009 5:37 PM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/7/2008 11:23 AM 24652]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2/3/2009 11:22 PM 65576]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [3/27/2009 9:43 PM 17792]
S1 khips;khips;\??\c:\windows\system32\Drivers\khips.sys --> c:\windows\system32\Drivers\khips.sys [?]
S2 mycode1983;Remote TCP/IP3;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 10:00 PM 14336]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [11/22/2008 12:53 PM 23064]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys --> c:\windows\system32\DRIVERS\wacmoumonitor.sys [?]
S4 gupdate1c9f38dbfe7bdc6;Google Update Service (gupdate1c9f38dbfe7bdc6);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 9:04 AM 133104]
S4 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wowsystemcode123
mycode1983
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-01-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-19 15:07]

2010-01-11 c:\windows\Tasks\User_Feed_Synchronization-{38FAD041-484E-4980-99E2-17449B82C243}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Simon\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: wowwiki.com\www
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-foatuog - c:\documents and settings\Simon\foatuog.exe
MSConfigStartUp-foatuog - c:\documents and settings\Simon\foatuog.exe
AddRemove-HijackThis - c:\documents and settings\Simon\My Documents\HijackThis.exe
AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-11 18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\docume~1\Simon\LOCALS~1\Temp\RGI3.tmp 7075 bytes

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-838170752-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
Completion time: 2010-01-11 18:25:41
ComboFix-quarantined-files.txt 2010-01-11 08:25

Pre-Run: 35,646,709,760 bytes free
Post-Run: 35,848,359,936 bytes free

- - End Of File - - 7FB4294B514B182D3CC125A126D4DC5B

Tonky
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-10
OS OS : Windows XP
Points Points : 25303
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Tonky on 11th January 2010, 8:29 am

It says it deleted both Foatuog and Riisoe.exe, as well as a 3rd which I didn't know about. If there is anyhting you would suggest for me to do at all, please let me know. My brother metnioned something about a 'virus bomb' in my computer?

*shrugs* I hope that log helps, and I hope it means my computer is cured too Goofy

Thanks so far anyway guys!

Tonky
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-01-10
OS OS : Windows XP
Points Points : 25303
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Foatuog & Riisoe.exe?

Post by Belahzur on 11th January 2010, 11:37 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Driver::
    khips
    mycode1983
    Avgfwdx
    Avgfwfd
    wacmoumonitor

    NetSvc::
    wowsystemcode123
    mycode1983

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"=-
    "6112:TCP"=-
    "6881:TCP"=-
    "6999:TCP"=-

    RegLock::
    [HKEY_USERS\S-1-5-21-1417001333-838170752-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum