Computer is responding very slow!

Epsynus · August 2, 2009

ok so my computer has started to respond very slowly today.

it takes like 30 seconds for it to switch windows with ALT tab

when yesterday it took around 1-2 seconds at most.

i have the latest hijack this logg & MBAM quick scan log here.

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:52:16, on 2009-08-02Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: Normal
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Tall Emu\Online Armor\OAcat.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Tall Emu\Online Armor\OAui.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\Program Files\ThreatFire\TFTray.exeC:\Program Files\ThreatFire\TFService.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Sandboxie\SbieCtrl.exeC:\Program Files\Tall Emu\Online Armor\OAhlp.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Sandboxie\SandboxieRpcSs.exeC:\Program Files\Sandboxie\SandboxieDcomLaunch.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Extreme Seven 2009 UltimateO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\ESAP 3\Windows 7 - Styler\TB\StylerTB.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe"O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\Run: [styler] C:\Program Files\ESAP 3\Windows 7 - Styler\Styler.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{47FCC92C-B442-4704-B678-11F8AE118855}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exeO23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exeO23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exeO23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--End of file - 6231 bytes

MBAM

Malwarebytes' Anti-Malware 1.39Database version: 2546Windows 5.1.2600 Service Pack 3
2009-08-02 16:09:18mbam-log-2009-08-02 (16-09-18).txt
Scan type: Quick ScanObjects scanned: 82599Time elapsed: 9 minute(s), 6 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)

AdvancedSetup · August 7, 2009

Sorry for the long delay, if you still need help please let me know

Epsynus · August 7, 2009

Hello.

yes i do still need help

and its ok for the delay i know you have a lot of problems to solve & a life ^^

AdvancedSetup · August 7, 2009

Please describe in more detail what issues you're seeing there.

Then run this scanner and post back the logs.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

DDS.txt
Attach.txt

Save both reports to your desktop
Please include the following logs in your next reply:
DDS.txt
and
Attach.txt

Epsynus · August 7, 2009

OK.

the problems i have is that all my programs are taking forever to start and once they do start most of them hang (stop responding) quickly & often it will result in a hard restart of windows.

and i noticed that in the DDS log it says outdated on my Avira but i update it daily. (and avira guard is Started)

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86  Run by Administrator at 15:20:45,84 on 2009-08-07Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Professional  5.1.2600.3.1252.46.1033.18.1023.553 [GMT 1:00]
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)   {AD166499-45F9-482A-A743-FDD3350758C7}FW: Online Armor Firewall *enabled*   {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Tall Emu\Online Armor\OAcat.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\ThreatFire\TFService.exeC:\Program Files\Tall Emu\Online Armor\OAui.exeC:\Program Files\ThreatFire\TFTray.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Tall Emu\Online Armor\OAhlp.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Avira\AntiVir Desktop\update.exeC:\Documents and Settings\Administrator\Desktop\dds.scrC:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uWindow Title = Extreme Seven 2009 UltimateuStart Page = hxxp://www.garena.com/portal/mWinlogon: SfcDisable=-99 (0xffffff9d)BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\esap 3\windows 7 - styler\tb\StylerTB.dllmRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\OAui.exe"mRun: [ThreatFire] c:\program files\threatfire\TFTray.exemRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /mindRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRun: [styler] c:\program files\esap 3\windows 7 - styler\Styler.exedRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,NdRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32uPolicies-explorer: NoResolveTrack = 1 (0x1)uPolicies-explorer: NoRecentDocsNetHood = 01000000uPolicies-explorer: NoInstrumentation = 1 (0x1)uPolicies-explorer: DisallowRun = 1 (0x1)uPolicies-disallowrun: 1 = avnotify.dlluPolicies-disallowrun: 2 = avnotify.exedPolicies-explorer: ForceClassicControlPanel = 1 (0x1)dPolicies-explorer: NoResolveTrack = 1 (0x1)dPolicies-explorer: NoSMHelp = 1 (0x1)IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabTCP: {47FCC92C-B442-4704-B678-11F8AE118855} = 208.67.222.222,208.67.220.220Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z8x8krrv.default\FF - prefs.js: browser.search.selectedEngine - WowheadFF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dllFF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color",			   "#551A8B");c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota",	  5120);c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-25 51984]R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-25 46864]R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-27 11608]R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-7 200784]R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-7 24656]R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-7 29776]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-27 108289]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-27 185089]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 55656]R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-5-7 362184]R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-5-7 3142344]R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-25 33552]S3 cimo;cimo;c:\windows\system32\cimo.sys [2009-6-1 46080]S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-6-24 131072]S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-6-24 79104]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 12648]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2009-5-26 146112]S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2009-5-26 6272]
=============== Created Last 30 ================
2009-08-07 13:39	<DIR>	--d-----	c:\program files\Audacity2009-08-05 15:05	<DIR>	--d-----	c:\program files\Diablo II2009-08-04 14:46	<DIR>	--d-----	C:\Unreal22009-08-04 14:37	<DIR>	--d-h---	c:\windows\PIF2009-07-28 17:00	<DIR>	--d-----	C:\Sandbox2009-07-28 17:00	<DIR>	--d-----	c:\program files\Sandboxie2009-07-28 12:53	<DIR>	--d-----	c:\program files\rise2009-07-27 22:21	<DIR>	--d-----	c:\docume~1\admini~1\applic~1\Microsoft Games2009-07-27 21:51	<DIR>	--d-----	c:\program files\Hamachi2009-07-25 10:53	<DIR>	--d-----	C:\Oplex2009-07-24 10:58	<DIR>	--d-----	c:\program files\Defraggler2009-07-23 20:51	<DIR>	--d-----	c:\program files\Curse2009-07-11 13:38	<DIR>	--d-----	c:\program files\DivX2009-07-10 17:14	<DIR>	--d-----	C:\ProgramData2009-07-10 17:14	447,752	a----r--	c:\windows\system32\vp6vfw.dll2009-07-10 17:14	<DIR>	--d-----	c:\program files\Microsoft WSE2009-07-10 13:20	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Azureus2009-07-10 13:20	<DIR>	--d-----	c:\docume~1\admini~1\applic~1\Azureus2009-07-09 19:58	<DIR>	--d-----	c:\program files\VideoLAN2009-07-09 15:50	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Electronic Arts2009-07-09 15:14	<DIR>	--d-----	c:\docume~1\admini~1\applic~1\Red Alert 32009-07-09 10:42	25	a-------	c:\windows\popcinfot.dat2009-07-08 19:41	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\PopCap Games
==================== Find3M  ====================
2009-08-05 13:15	55,656	a-------	c:\windows\system32\drivers\avgntflt.sys2009-08-03 13:36	38,160	a-------	c:\windows\system32\drivers\mbamswissarmy.sys2009-08-03 13:36	19,096	a-------	c:\windows\system32\drivers\mbam.sys2009-08-02 16:12	25,992	a-------	c:\windows\system32\pgdfgsvc.exe2009-07-27 21:51	25,280	a-------	c:\windows\system32\drivers\hamachi.sys2009-07-19 18:48	11,067,392	a-------	c:\windows\system32\dllcache\ieframe.dll2009-07-19 14:18	5,937,152	a-------	c:\windows\system32\dllcache\mshtml.dll2009-07-11 05:59	29,776	a-------	c:\windows\system32\drivers\OAnet.sys2009-07-11 05:17	24,656	a-------	c:\windows\system32\drivers\OAmon.sys2009-07-11 05:17	200,784	a-------	c:\windows\system32\drivers\OADriver.sys2009-07-03 18:09	915,456	a-------	c:\windows\system32\wininet.dll2009-07-03 18:09	915,456	a-------	c:\windows\system32\dllcache\wininet.dll2009-07-03 18:09	12,800	--------	c:\windows\system32\dllcache\xpshims.dll2009-07-03 18:09	1,208,832	a-------	c:\windows\system32\dllcache\urlmon.dll2009-07-03 18:09	206,848	a-------	c:\windows\system32\dllcache\occache.dll2009-07-03 18:09	594,432	a-------	c:\windows\system32\dllcache\msfeeds.dll2009-07-03 18:09	55,296	a-------	c:\windows\system32\dllcache\msfeedsbs.dll2009-07-03 18:09	1,985,536	a-------	c:\windows\system32\dllcache\iertutil.dll2009-07-03 18:09	25,600	a-------	c:\windows\system32\dllcache\jsproxy.dll2009-07-03 18:09	246,272	--------	c:\windows\system32\dllcache\ieproxy.dll2009-07-03 18:09	184,320	--------	c:\windows\system32\dllcache\iepeers.dll2009-07-03 18:09	386,048	a-------	c:\windows\system32\dllcache\iedkcs32.dll2009-07-03 12:01	173,056	a-------	c:\windows\system32\dllcache\ie4uinit.exe2009-06-24 18:17	767,328	a-------	c:\windows\system32\kdfinj.dll2009-06-20 15:25	65,536	ac------	c:\windows\IFinst27.exe2009-06-19 14:37	46,864	a-------	c:\windows\system32\drivers\TfSysMon.sys2009-06-19 14:37	33,552	a-------	c:\windows\system32\drivers\TfNetMon.sys2009-06-19 14:37	51,984	a-------	c:\windows\system32\drivers\TfFsMon.sys2009-06-17 13:20	12,648	a-------	c:\windows\system32\drivers\psi_mf.sys2009-06-17 11:51	720,896	a-------	c:\windows\iun6002.exe2009-06-16 15:36	119,808	a-------	c:\windows\system32\t2embed.dll2009-06-16 15:36	81,920	a-------	c:\windows\system32\fontsub.dll2009-06-16 15:36	119,808	--------	c:\windows\system32\dllcache\t2embed.dll2009-06-16 15:36	81,920	--------	c:\windows\system32\dllcache\fontsub.dll2009-06-06 20:00	249,856	--------	c:\windows\Setup1.exe2009-06-06 20:00	73,216	a-------	c:\windows\ST6UNST.EXE2009-06-03 20:09	1,291,264	a-------	c:\windows\system32\quartz.dll2009-06-03 20:09	1,291,264	--------	c:\windows\system32\dllcache\quartz.dll2009-06-01 17:07	46,080	a-------	c:\windows\system32\cimo.sys2009-02-21 15:32	2,628	a-------	c:\documents and settings\administrator\installer.bat2009-02-12 05:30	1,481,728	a-------	c:\documents and settings\administrator\LegitCheckControl.dll2009-02-12 05:30	323,072	a-------	c:\documents and settings\administrator\WgaTray.exe2009-02-12 05:30	190,976	a-------	c:\documents and settings\administrator\WgaLogon.dll2009-05-06 21:43	16,384	a--sh---	c:\windows\system32\config\systemprofile\cookies\index.dat2009-05-06 21:43	16,384	a--sh---	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat2009-05-06 21:43	32,768	a--sh---	c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 15:22:23,03 ===============

Hope this info helped!

Attach.zip

AdvancedSetup · August 8, 2009

STEP 01

CCleaner

CCleaner
Double-click on the downloaded file "ccsetup222_slim.exe" and install the application.
Keep the default installation folder "C:\Program Files\CCleaner"
Click finish when done and close ALL PROGRAMS
Start the CCleaner program.
Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
Click on Run Cleaner button on the bottom right side of the program.
Click OK to any prompts

STEP 02

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 03

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click
Yes
to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post the
C:\ComboFix.txt
along with a
new HijackThis log
so we may continue cleaning the system.

Epsynus · August 8, 2009

COMBOFIX

ComboFix 09-08-07.09 - Administrator 2009-08-08  9:34.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.1023.652 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\WgaTray.exe

c:\documents and settings\Default User\WgaTray.exe

c:\windows\system32\Config.ini

c:\windows\system32\config\systemprofile\WgaTray.exe

c:\windows\system32\kdfinj.dll

c:\windows\system32\WgaLogon.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))

.

2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\wbem\snmp

2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\xircom

2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\program files\microsoft frontpage

2009-08-07 18:07 . 2009-08-07 18:07 -------- d-----w- c:\program files\Gravity

2009-08-07 12:39 . 2009-08-07 12:39 -------- d-----w- c:\program files\Audacity

2009-08-05 14:05 . 2009-08-07 22:09 -------- d-----w- c:\program files\Diablo II

2009-08-04 13:46 . 2009-08-04 14:39 -------- d-----w- C:\Unreal2

2009-08-04 13:37 . 2009-08-04 13:37 -------- d--h--w- c:\windows\PIF

2009-08-02 15:47 . 2009-08-06 14:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2009-08-02 15:43 . 2009-08-02 15:55 -------- d-----w- c:\program files\Opera

2009-08-02 15:33 . 2009-08-02 15:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2009-08-02 15:33 . 2009-08-02 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\program files\NOS

2009-07-28 16:00 . 2009-07-28 16:00 -------- d-----w- C:\Sandbox

2009-07-28 16:00 . 2009-08-04 15:19 -------- d-----w- c:\program files\Sandboxie

2009-07-28 11:53 . 2009-07-28 12:22 -------- d-----w- c:\program files\rise

2009-07-28 11:52 . 2009-07-28 11:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield

2009-07-27 21:21 . 2009-07-28 09:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games

2009-07-27 20:51 . 2009-07-27 20:52 -------- d-----w- c:\program files\Hamachi

2009-07-25 09:53 . 2009-07-25 09:56 -------- d-----w- C:\Oplex

2009-07-24 09:58 . 2009-07-24 09:58 -------- d-----w- c:\program files\Defraggler

2009-07-23 19:51 . 2009-08-07 21:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CurseClient

2009-07-23 19:51 . 2009-07-23 19:51 -------- d-----w- c:\program files\Curse

2009-07-11 12:38 . 2009-07-12 09:26 -------- d-----w- c:\program files\DivX

2009-07-10 16:14 . 2009-07-10 16:14 -------- d-----w- C:\ProgramData

2009-07-10 16:14 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll

2009-07-10 16:14 . 2009-07-10 16:14 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe

2009-07-10 16:14 . 2009-07-10 16:14 -------- d-----w- c:\program files\Microsoft WSE

2009-07-10 12:20 . 2009-07-10 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus

2009-07-10 12:20 . 2009-08-08 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus

2009-07-09 18:58 . 2009-07-09 18:58 -------- d-----w- c:\program files\VideoLAN

2009-07-09 14:50 . 2009-07-27 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2009-07-09 14:48 . 2009-07-09 14:48 -------- d--h--r- c:\documents and settings\Administrator\Application Data\SecuROM

2009-07-09 14:14 . 2009-07-09 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Red Alert 3

2009-07-09 09:42 . 2009-07-10 14:11 25 ----a-w- c:\windows\popcinfot.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-08 08:43 . 2009-05-07 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-08 08:16 . 2009-07-12 10:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp

2009-08-07 20:46 . 2009-05-07 14:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2009-08-07 18:06 . 2009-05-07 15:58 65536 -c--a-w- c:\windows\IFinst27.exe

2009-08-06 14:50 . 2009-08-02 15:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2009-08-05 14:08 . 2009-05-08 18:18 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2009-08-05 12:15 . 2009-05-06 20:21 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-04 13:46 . 2009-05-07 07:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-04 13:23 . 2009-05-14 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-08-03 21:29 . 2009-05-07 09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-03 21:28 . 2009-05-26 19:56 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 12:36 . 2009-05-07 09:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 12:36 . 2009-05-07 09:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-03 10:27 . 2009-06-17 23:00 -------- d-----w- c:\program files\Common Files\GTK

2009-08-02 16:01 . 2009-05-11 10:18 -------- d-----w- c:\program files\osu!

2009-08-02 15:12 . 2009-05-09 00:05 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2009-08-02 14:56 . 2009-05-07 10:51 -------- d-----w- c:\program files\SpywareBlaster

2009-07-31 11:52 . 2009-06-25 12:07 -------- d-----w- c:\program files\ThreatFire

2009-07-31 11:52 . 2009-05-07 16:28 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-30 21:43 . 2009-06-06 15:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hamachi

2009-07-27 20:51 . 2009-06-06 15:53 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys

2009-07-24 12:42 . 2009-06-01 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify

2009-07-13 07:16 . 2009-06-03 16:59 -------- d-----w- c:\program files\Guild Wars

2009-07-12 10:10 . 2009-07-12 10:10 -------- d-----w- c:\program files\Winamp

2009-07-11 04:59 . 2009-05-07 08:53 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys

2009-07-11 04:17 . 2009-05-07 08:53 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys

2009-07-11 04:17 . 2009-05-07 08:53 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys

2009-07-08 18:41 . 2009-07-08 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

2009-07-08 15:41 . 2009-06-17 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple

2009-07-03 17:09 . 2009-03-16 18:46 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-03 11:54 . 2009-05-07 11:09 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-02 10:10 . 2009-07-02 09:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\InfraRecorder

2009-07-01 10:18 . 2009-06-18 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-01 10:18 . 2009-06-18 12:28 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0

2009-06-29 14:49 . 2009-06-29 14:48 -------- d-----w- c:\program files\Intel

2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\program files\Avira

2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-06-26 16:43 . 2009-05-07 11:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-06-25 12:07 . 2009-06-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-06-24 20:30 . 2009-06-24 20:30 -------- d-----w- c:\program files\Alwil Software

2009-06-24 16:39 . 2009-06-24 16:39 -------- d-----w- c:\program files\Secunia

2009-06-23 18:01 . 2009-05-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla

2009-06-23 11:57 . 2009-05-07 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-19 15:06 . 2009-06-19 15:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft

2009-06-19 13:37 . 2009-06-25 12:07 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys

2009-06-19 13:37 . 2009-06-25 12:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys

2009-06-19 13:37 . 2009-06-25 12:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys

2009-06-18 13:17 . 2009-06-18 13:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\TortoiseSVN

2009-06-18 13:00 . 2009-05-06 21:05 35760 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-18 12:48 . 2009-06-18 12:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion

2009-06-18 12:34 . 2009-06-18 12:34 -------- d-----w- c:\program files\Microsoft SQL Server

2009-06-18 12:34 . 2009-06-18 12:34 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll

2009-06-18 12:33 . 2009-06-18 12:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2009-06-18 12:23 . 2009-06-18 12:23 -------- d-----w- c:\program files\Microsoft SDKs

2009-06-17 23:05 . 2009-06-17 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0

2009-06-17 17:16 . 2009-06-17 17:16 -------- d-----w- c:\program files\ATI Technologies

2009-06-17 12:20 . 2009-03-24 11:03 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2009-06-17 10:51 . 2009-06-17 10:51 720896 ----a-w- c:\windows\iun6002.exe

2009-06-16 14:36 . 2008-04-14 03:42 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2008-04-14 03:41 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-13 21:09 . 2009-06-13 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC

2009-06-11 19:23 . 2009-05-06 20:47 -------- d-----w- c:\program files\ESAP 3

2009-06-10 11:57 . 2009-06-10 11:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire

2009-06-06 19:00 . 2009-06-06 19:00 249856 ------w- c:\windows\Setup1.exe

2009-06-06 19:00 . 2009-06-06 19:00 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-06-05 17:48 . 2009-06-05 17:48 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-06-03 19:09 . 2008-04-14 03:42 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-01 16:07 . 2009-06-01 16:07 46080 ----a-w- c:\windows\system32\cimo.sys

2009-06-01 13:41 . 2009-06-01 13:41 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys

.

------- Sigcheck -------

[-] 2009-03-11 14:31 2003456 A93D1D8A4122F7DEFDD4D0F34CF67213 c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\OAui.exe" [2009-07-11 2121416]

"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"Styler"="c:\program files\ESAP 3\Windows 7 - Styler\Styler.exe" [2007-04-15 307200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"ShowDeskFix"="shell32" [X]

"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoRecentDocsNetHood"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

"1"= avnotify.dll

"2"= avnotify.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-06-25 51984]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-06-25 46864]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-05-07 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-05-07 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-05-07 29776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-04-28 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-04-28 72944]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-27 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-05-07 362184]

R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-05-07 3142344]

R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-06-25 33552]

S3 cimo;cimo;c:\windows\system32\cimo.sys [2009-06-01 46080]

S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-06-24 131072]

S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-06-24 79104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-03-24 12648]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]

S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2009-05-26 146112]

S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2009-05-26 6272]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\User_Feed_Synchronization-{DF99D6C6-4DB4-40DE-8F14-A620F885C18F}.job

- c:\windows\system32\msfeedssync.exe [2009-05-06 03:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.garena.com/portal/

TCP: {47FCC92C-B442-4704-B678-11F8AE118855} = 208.67.222.222,208.67.220.220

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8x8krrv.default\

FF - prefs.js: browser.search.selectedEngine - Wowhead

FF - prefs.js: browser.startup.homepage - hxxp://muffos.wowstead.com/|http://www.malwarebytes.org/forums/index.php?showtopic=20619&st=0&p=105270entry105270|http://www.bleepingcomputer.com/combofix/how-to-use-combofix

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-08 09:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ADMINI~1\LOCALS~1\Temp\RGI5.tmp 7075 bytes

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\

[HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\SecuROM\License information*]

"datasecu"=hex:9a,b5,9e,db,72,66,a3,5e,dd,6f,98,6e,6c,af,df,ba,4c,5e,e5,60,a5,

f7,a2,55,a8,d8,c7,7f,63,12,32,51,df,40,1d,a0,2d,2f,5f,a1,57,75,79,23,59,d7,\

"rkeysecu"=hex:d0,8e,a6,97,8b,09,6e,d3,54,6f,34,d4,9c,01,8c,ed

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\program files\ThreatFire\TFWAH.dll

c:\program files\ThreatFire\TFNI.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\ThreatFire\TFMon.dll

c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(528)

c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(1636)

c:\windows\system32\WININET.dll

c:\program files\ThreatFire\TFWAH.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\program files\ThreatFire\TFNI.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\ThreatFire\TFMon.dll

c:\program files\ThreatFire\TFRK.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\ThreatFire\TFService.exe

c:\program files\Tall Emu\Online Armor\oahlp.exe

.

**************************************************************************

.

Completion time: 2009-08-08 9:51 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-08 08:51

Pre-Run: 34

AdvancedSetup · August 9, 2009

Please do not use CODE or QUOTE tags when posting, thanks.

Okay you have something running there that probably does not belong but it could be due to one of the many other Security software apps you're running.

STEP 01

Please create a BOOTLOG

Delete the following file if it exists. C:\Windows\ntbtlog.txt
Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
Select "Enable Boot Logging" option and press enter.
Windows prompts you to select a Windows Installation (even if there is only one windows installation)
This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

Epsynus · August 10, 2009

ntb log

Service Pack 3 8 9 2009 10:18:38.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver sptd.sys

Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS

Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS

Loaded driver ACPI.sys

Loaded driver pci.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver isapnp.sys

Loaded driver PCIIde.sys

Loaded driver \WINDOWS\System32\Drivers\PCIIDEX.SYS

Loaded driver intelide.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver TfSysMon.sys

Loaded driver TfFsMon.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver agp440.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\BCMSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ctoss2k.sys

Loaded driver \SystemRoot\system32\DRIVERS\ctsfm2k.sys

Loaded driver \SystemRoot\system32\drivers\P16X.sys

Loaded driver \SystemRoot\system32\DRIVERS\e100b325.sys

Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\serial.sys

Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\asw5vr9z.SYS

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys

Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\OAnet.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\OAmon.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\OADriver.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys

Loaded driver \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\avgntflt.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\system32\DRIVERS\avgntflt.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\TfNetMon.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

ROOT REPEAL log

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/10 17:37

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: aujasnkj.sys

Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys

Address: 0xEF696000 Size: 83584 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF35D0000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AA5000 Size: 8192 File Visible: No Signed: -

Status: -

Name: mchInjDrv.sys

Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Address: 0xF7C3F000 Size: 2560 File Visible: No Signed: -

Status: -

Name: PCI_PNP4910

Image Path: \Driver\PCI_PNP4910

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF1568000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spjv.sys

Image Path: spjv.sys

Address: 0xF744D000 Size: 1052672 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6e60

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b75c0

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b5610

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c40d0

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xf7cc486e

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b52c0

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2580

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2960

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2060

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xf7cc4864

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b45a0

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4b50

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xf7cc4873

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xf7cc487d

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4fe0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4070

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c40a0

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b65d0

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xf7cc4882

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4760

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c2c20

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xf7cc4850

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2300

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xf7cc4855

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7250

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6a10

#: 160 Function Name: NtQueryKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4010

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4040

#: 180 Function Name: NtQueueApcThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7740

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xf7cc488c

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6180

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xf7cc4887

#: 206 Function Name: NtResumeThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4c90

#: 207 Function Name: NtSaveKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c3ff0

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b59d0

#: 213 Function Name: NtSetContextThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b43c0

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4720

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xf7cc4878

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b64d0

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4e40

#: 254 Function Name: NtSuspendThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4ac0

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4900

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xf7cc485f

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b41a0

#: 262 Function Name: NtUnloadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b67f0

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7400

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x86fd71f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_CREATE]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_CLOSE]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_POWER]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_PNP]

Process: System Address: 0x86d911f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x86e47500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System Address: 0x86e4b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x86fd91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x863d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x86e80500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]