Cannot find this...

[WarrenX]

Out of the blue, I decided to run pc matic from PcPitstop just to see where my computer was at, as I had been having performance issues as of late. It came back with the usual, recommending registry fixes, etc. But to my surprise there was also a indication of "high level malware" so I checked it out, and it gave me this:

Rogue Protection Program
S-1-5-21-1978815123-2928815371-573437872-1000

I immediately went into global defense mode and launched malwarebyte, avg, sophos anti-rootkit, spydoctor, etc. and was able to eradicate the program "malware defender" (no idea how I didn't see it, since its supposed to pop up all the time). I have however been feeling uneasy because Pc Matic (the original scan that detected it) is still showing the same thing. I looked up bits and pieces of it, and it looks like its a Security Identifier (have no idea how that works). So my question is where should I go from here? I have no idea if this is just a formality, or a location in the registry, or what, any help would be much appreciated.

Thank you,

-Warren.

 

[Osiris]

Run combofix and post its log

 

[WarrenX]

ComboFix 10-06-15.02 - Warren M 06/15/2010 13:34:53.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.1904 [GMT -7:00]
Running from: c:\users\Warren M\Desktop\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-15 20:45 . 2010-06-15 20:45 -------- d-----w- c:\users\Warren M\AppData\Local\temp
2010-06-15 20:45 . 2010-06-15 20:45 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-15 20:45 . 2010-06-15 20:45 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-06-15 20:45 . 2010-06-15 20:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-15 07:14 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 07:14 . 2010-06-15 07:14 -------- d-----w- c:\program files\Mal
2010-06-15 07:14 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 04:58 . 2010-06-15 04:58 -------- d-----w- c:\program files\ESET
2010-06-15 01:42 . 2010-06-15 01:42 -------- d-----w- C:\logs
2010-06-14 23:56 . 2010-06-14 23:56 -------- d-----w- c:\program files\MSSOAP
2010-06-14 23:55 . 2010-06-14 23:55 -------- d-----w- c:\program files\Webroot
2010-06-14 23:54 . 2010-06-14 23:54 164 ----a-w- c:\windows\install.dat
2010-06-14 16:31 . 2010-06-14 16:31 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-14 16:31 . 2010-06-14 16:31 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-14 10:55 . 2010-06-14 11:07 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-06-14 07:43 . 2010-06-14 07:43 -------- d-----w- c:\users\Warren M\AppData\Roaming\Auslogics
2010-06-14 06:16 . 2010-06-14 06:16 -------- d-----w- c:\program files\PCPitstop
2010-06-14 05:05 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-06-14 05:05 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-14 05:04 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-14 05:04 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-14 05:04 . 2010-05-04 19:15 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-14 05:04 . 2010-05-04 18:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-14 05:04 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-14 04:56 . 2010-06-14 04:56 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-06-08 01:07 . 2010-06-08 01:07 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-07 03:26 . 2010-06-07 03:26 -------- d-----w- c:\program files\Graph
2010-05-16 23:59 . 2007-06-29 21:47 34304 ----a-w- c:\windows\system32\drivers\AmdLLD.sys
2010-05-16 23:59 . 2010-05-16 23:59 -------- d-----w- c:\program files\AMD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 20:46 . 2010-03-26 20:40 -------- d-----w- c:\users\Warren M\AppData\Roaming\Skype
2010-06-15 19:51 . 2009-12-07 09:30 0 ----a-w- c:\users\Warren M\AppData\Local\prvlcl.dat
2010-06-15 19:41 . 2010-05-16 05:42 35189 ----a-w- c:\programdata\nvModes.dat
2010-06-15 17:40 . 2010-03-26 20:43 -------- d-----w- c:\users\Warren M\AppData\Roaming\skypePM
2010-06-15 17:39 . 2008-02-01 06:40 -------- d-----w- c:\programdata\NVIDIA
2010-06-15 08:24 . 2008-02-02 02:17 -------- d-----w- c:\programdata\PCPitstop
2010-06-15 07:11 . 2009-12-29 22:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-15 06:49 . 2008-02-01 05:49 2032 ----a-w- c:\users\Warren M\AppData\Local\d3d9caps.dat
2010-06-15 01:32 . 2006-11-02 12:35 -------- d-----w- c:\program files\Microsoft Games
2010-06-15 01:31 . 2009-09-26 00:26 -------- d-----w- c:\program files\Firaxis Games
2010-06-15 01:31 . 2009-10-25 08:02 -------- d-----w- c:\program files\EA Games
2010-06-15 01:28 . 2008-11-15 19:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-15 01:20 . 2008-02-01 06:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-15 01:11 . 2010-04-09 23:20 -------- d-----w- c:\program files\Age of Wonders Shadow Magic
2010-06-14 16:30 . 2009-03-27 05:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-14 16:30 . 2009-03-27 05:18 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-14 10:09 . 2008-02-28 00:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-06-14 06:00 . 2009-08-23 03:46 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 06:00 . 2008-02-01 06:57 -------- d-----w- c:\program files\Yahoo!
2010-06-14 05:58 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-14 05:43 . 2008-02-02 22:31 -------- d-----w- c:\programdata\Microsoft Help
2010-06-14 05:30 . 2008-02-02 00:43 -------- d-----w- c:\programdata\Yahoo!
2010-06-14 05:28 . 2008-02-02 01:00 -------- d-----w- c:\users\Warren M\AppData\Roaming\Yahoo!
2010-06-14 05:01 . 2009-12-29 22:14 -------- d-----w- c:\program files\CCleaner
2010-06-14 04:39 . 2009-01-06 11:37 -------- d-----w- c:\users\Warren M\AppData\Roaming\BitTorrent
2010-06-14 04:39 . 2008-02-24 21:04 -------- d-----w- c:\users\Warren M\AppData\Roaming\Ventrilo
2010-06-14 04:39 . 2010-05-16 15:50 -------- d-----w- c:\program files\Auslogics
2010-05-21 21:14 . 2009-10-03 05:26 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 05:35 . 2008-02-02 03:17 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-16 04:48 . 2010-03-10 15:02 1188 ----a-w- c:\windows\eReg.dat
2010-05-16 04:33 . 2008-02-01 05:50 99960 ----a-w- c:\users\Warren M\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-14 22:03 . 2010-05-14 22:03 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2010-05-14 13:51 . 2008-03-12 03:37 -------- d-----w- c:\program files\Google
2010-05-11 06:24 . 2009-11-22 00:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-01 04:40 . 2010-05-01 04:40 -------- d-----w- c:\programdata\DivX
2010-04-26 12:39 . 2010-04-26 12:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-26 12:39 . 2010-04-26 12:38 -------- d-----w- c:\program files\iTunes
2010-04-26 12:38 . 2010-04-26 12:38 -------- d-----w- c:\program files\iPod
2010-04-26 12:38 . 2008-03-28 17:09 -------- d-----w- c:\program files\Common Files\Apple
2010-04-26 12:37 . 2008-02-05 08:22 -------- d-----w- c:\program files\QuickTime
2010-04-26 12:34 . 2010-04-26 12:34 -------- d-----w- c:\program files\Apple Software Update
2010-04-26 12:32 . 2010-04-26 12:32 -------- d-----w- c:\program files\Bonjour
2010-04-11 23:37 . 2010-04-11 23:37 1 ----a-w- c:\windows\system32\SI.bin
2010-04-08 05:25 . 2009-10-25 08:09 139456 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-08 05:24 . 2009-10-25 08:09 190160 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-06 23:57 . 2010-04-06 23:57 106 ----a-w- c:\users\Warren M\AppData\Roaming\Fathom Preferences.dat
2010-04-04 01:27 . 2010-04-04 01:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-04 01:27 . 2010-04-04 01:27 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-04 01:27 . 2010-04-04 01:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:27 . 2010-04-04 01:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-04 01:27 . 2010-04-04 01:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 22:55 . 2010-05-01 21:48 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 22:55 . 2010-05-01 21:48 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 22:55 . 2010-05-01 21:48 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-04-03 22:55 . 2010-05-01 21:47 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:55 . 2010-05-01 21:47 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2010-05-01 21:47 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2010-05-01 21:47 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2010-05-01 21:47 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-04-03 22:55 . 2010-05-01 21:47 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-04-03 22:55 . 2010-05-01 21:47 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2010-05-01 21:47 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 22:55 . 2010-05-01 21:47 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-02 23:54 . 2008-02-01 06:22 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-28 04:19 . 2008-02-18 03:10 138056 ----a-w- c:\users\Warren M\AppData\Roaming\PnkBstrK.sys
2010-03-28 04:19 . 2008-02-18 03:10 138056 ----a-w- c:\users\Warren M\AppData\Roaming\PnkBstrK.sys
2010-03-28 04:18 . 2009-10-25 08:09 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-28 04:18 . 2009-10-25 08:09 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-26 20:43 . 2010-03-26 20:43 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-26 08:48 . 2010-03-26 08:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-15_04.38.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:00 . 2010-06-15 18:48 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2010-06-15 04:16 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2010-06-15 04:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2010-06-15 18:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2010-06-15 04:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:00 . 2010-06-15 18:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-29 11:21 . 2010-06-15 17:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-29 11:21 . 2010-06-15 04:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-29 11:21 . 2010-06-15 04:16 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-29 11:21 . 2010-06-15 17:39 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-29 11:21 . 2010-06-15 17:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-29 11:21 . 2010-06-15 04:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-15 17:39 . 2010-06-15 17:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-15 04:16 . 2010-06-15 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-15 04:16 . 2010-06-15 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-15 17:39 . 2010-06-15 17:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-02-01 06:34 . 2010-06-15 17:41 103884 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 10:33 . 2010-06-15 17:46 626348 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-15 04:22 626348 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-15 04:22 107334 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-06-15 17:46 107334 c:\windows\System32\perfc009.dat
+ 2010-03-29 03:34 . 2010-06-15 19:25 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2010-03-29 03:34 . 2010-06-15 00:18 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UpdateService\isuspm.exe" [2004-04-17 196608]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-18 53341]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-14 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-14 2095640]
"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-14 2065248]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-9 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Warren M^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\users\Warren M\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnk.Startup
backupExtension=.Startup

 

[WarrenX]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-11-23 00:36 203720 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2009-02-03 13:22 1004544 ----a-w- c:\program files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-03-22 01:30 1191936 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Computer Alarm Clock]
2007-09-06 23:29 696832 ----a-w- c:\progra~1\Computer Alarm Clock\cac.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
2009-04-30 00:44 188416 ------w- c:\program files\Creative\MediaSource5\CTDetctu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2009-06-04 07:55 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 13:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-04-04 01:27 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2009-09-28 10:02 1529432 ----a-w- c:\users\Warren M\Desktop\Utilities\Peerblock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 17:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-01-09 12:13 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 20:16 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3d,e6,5a,9c,02,58,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 133104]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-09-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-03-04 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 171032]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 72728]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-03 22784]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-08-08 12032]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A275.tmp [x]
R3 pbfilter;pbfilter;c:\users\Warren M\Desktop\Utilities\Peerblock\pbfilter.sys [2009-09-28 16472]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-11-19 288256]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2010-05-06 90296]
S0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSvx.sys [2010-03-12 25096]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-03-12 52872]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2009-11-30 24856]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-12 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-14 242896]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-08 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-08 166632]
S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-12 916760]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-12 308064]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-06-14 2331544]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-06-08 840936]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-04-03 240232]
S3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSDriver.sys [2010-03-12 122376]
S3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSFilter.sys [2010-03-12 30216]
S3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys [2010-03-12 27144]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 72728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 06:28]

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 06:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4F552121-1498-4A0E-9498-E37F66562BAC} = 209.18.47.61,209.18.47.62
TCP: {CB8D4A87-4B06-4DFE-A3ED-BAECAC97C141} = 66.75.160.63,66.75.160.64
DPF: {A27C56D2-3F58-4ABB-AA31-1168EDA6636F} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
FF - ProfilePath - c:\users\Warren M\AppData\Roaming\Mozilla\Firefox\Profiles\27fvdsvj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\users\Warren M\AppData\Roaming\Mozilla\Firefox\Profiles\27fvdsvj.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-15 13:45
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A275.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1978815123-2928815371-573437872-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c4,36,3a,f9,ca,f7,e9,06,47,fd,41,65,1a,36,d2,78,d8,a3,bd,ca,b1,b1,d4,
d2,48,c4,cd,25,11,24,d1,9d,a5,d6,36,f6,83,b1,bb,e5,cb,2b,63,40,d3,67,32,05,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1978815123-2928815371-573437872-1000\Software\SecuROM\License information*]
"datasecu"=hex:07,ef,c2,15,1e,f7,9d,37,a7,b0,82,37,74,57,dd,6d,9d,fe,35,eb,11,
12,68,cd,49,76,ef,2c,fc,8b,71,5e,25,d7,da,a2,ef,d7,0f,ee,fb,05,0f,8f,90,af,\
"rkeysecu"=hex:ec,d5,ea,a9,23,85,1f,7d,90,c1,1e,ac,c1,35,ef,ee
.
Completion time: 2010-06-15 13:58:29
ComboFix-quarantined-files.txt 2010-06-15 20:58
ComboFix2.txt 2010-06-15 04:50

Pre-Run: 119,298,715,648 bytes free
Post-Run: 119,286,845,440 bytes free

- - End Of File - - C3C138EA7F4C9A4D35FF315B158D5631

 

[WarrenX]

Sorry for the delay, just posted right now, thank you again for your help Osiris.

 

[WarrenX]

R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A275.tmp [x]

A275.tmp = Trojan.Agent/Gen-F430


[HKEY_USERS\S-1-5-21-1978815123-2928815371-573437872-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c4,36,3a,f9,ca,f7,e9,06,47,fd,41,65,1a,36 ,d2,78,d8,a3,bd,ca,b1,b1,d4,
d2,48,c4,cd,25,11,24,d1,9d,a5,d6,36,f6,83,b1,bb,e5 ,cb,2b,63,40,d3,67,32,05,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab ,ca,0d

is SecuROM i dont know that you wonne delite it but read this wikipedia

Thank you Nio Noise for your response. I believe this is behind that warning, I used pc matic to delete the suspected backdoor, but how do I know if I am really safe?

I guess I can run combofix again and look for that same entry...

Thank you for your input again.

-Warren.