Wow!! After using combofix the problem seems to be gone! thank you so much Dragonmaster
ComboFix 10-04-28.03 - David Gardner 04/28/2010 16:10:37.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1292 [GMT -7:00]
Running from: c:\documents and settings\David Gardner\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.
2010-04-24 23:57 . 2010-04-28 23:14 -------- d-----w- c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl
2010-04-24 23:57 . 2010-04-28 23:14 -------- d-----w- c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 23:06 . 2009-05-24 17:32 -------- d-----w- c:\documents and settings\David Gardner\Application Data\FrostWire
2010-04-28 22:05 . 2009-05-22 16:30 -------- d-----w- c:\program files\Steam
2010-04-27 00:06 . 2009-05-03 00:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-26 18:56 . 2009-08-19 01:54 -------- d-----w- c:\documents and settings\David Gardner\Application Data\vlc
2010-04-25 00:31 . 2009-09-28 22:18 -------- d-----w- c:\program files\Heroes of Newerth
2010-04-11 01:54 . 2009-05-03 00:13 -------- d-----w- c:\documents and settings\David Gardner\Application Data\uTorrent
2010-04-09 01:29 . 2009-05-05 00:31 -------- d-----w- c:\program files\FinePixViewer
2010-04-05 00:43 . 2009-09-30 22:39 1 ----a-w- c:\documents and settings\David Gardner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-01 17:43 . 2009-05-24 17:37 4506256 ----a-w- c:\documents and settings\David Gardner\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2010-03-31 20:13 . 2009-11-22 16:41 -------- d-----w- c:\documents and settings\David Gardner\Application Data\dvdcss
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-12 1217808]
"Google Update"="c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-23 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]
c:\documents and settings\David Gardner\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-5-4 303104]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-10-21 884838]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/2/2009 5:04 PM 108289]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [5/2/2009 12:29 PM 17149]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp --> c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp [?]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2.sys --> c:\windows\system32\DRIVERS\WN111v2.sys [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [10/20/2009 6:42 PM 362944]
.
Contents of the 'Scheduled Tasks' folder
2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-789336058-1801674531-1003Core.job
- c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 22:15]
2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-789336058-1801674531-1003UA.job
- c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 22:15]
2010-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-04 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
FF - ProfilePath - c:\documents and settings\David Gardner\Application Data\Mozilla\Firefox\Profiles\lez0zr1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?gcht=HC&o=101676&l=dis
FF - plugin: c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_
everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a
s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-kegdosnf - c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
HKCU-Run-wrtjuyvm - c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe
HKLM-Run-kegdosnf - c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
HKLM-Run-wrtjuyvm - c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-04-28 16:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp"
.
Completion time: 2010-04-28 16:16:20
ComboFix-quarantined-files.txt 2010-04-28 23:16
Pre-Run: 7,408,603,136 bytes free
Post-Run: 8,300,707,840 bytes free
- - End Of File - - A44CB82A18CA21E49DFB11B984AF26CF