Jump to content

Please Help! MWB, Hijack This and ComboFix won't run..


Recommended Posts

Hi,

I really appreciate any help or guidance you might be able to give me in regards to my infected computer. I cannot get MWB to run or update, nor will Hijack This or ComboFix run.

The initial clue that my computer was infected was that, google links were not opening properly in new windows in addition to strange music playing in the background. I did find a process running called a.exe, when i stopped that process the music stopped. I then I did a windows search for a.exe and found nothing, so I tried a search with hidden files and found it in the system folder somewhere, I trashed a.exe so the music has stopped but the google linking problem persists. Upon reflection this may not have been the best course of action (i'll let you be the judge) but it seemed like a good idea at the time since the anti-virus and spyware programs I had at the time weren't doing the trick. I was using AVG Free and Spybot. Both have been removed to the best of my ability (uninstalled), i don't see their processes anymore in the task manager.

I have installed Avira AntiVir Personal and was able to update that and do a scan. Several rootkits were found, however, the google linking problem persists and I am still unable to run MWB, Hijack This or ComboFix. Windows Defender also won't update and crashes on launch. So from what I have read on other peoples posts, it seems like I am still infected, and I could really use some expert advice!

I have run DDS and Gmer and have logs from both of those which I will paste and/or attach below. I have also run RootRepeal to see if there were any CLB Rootkits (which there weren't). Many thanks in advance!!

-Matt

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86

Run by Matt at 8:48:26.50 on Tue 08/11/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1367 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Search Settings\SearchSettings.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\PerSono\perstray.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Matt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto

uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [WD_SRT] "c:\program files\western digital technologies\wd win98 se usb disk driver, v1.00.09\WD_SRT.EXE"

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [searchSettings] c:\program files\search settings\SearchSettings.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\perstray.lnk - c:\program files\persono\perstray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\1vyq02on.default\

FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll

FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2005-2-10 72192]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-10 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-10 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-10 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-10 55656]

R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2008-8-10 21276]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]

S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]

=============== Created Last 30 ================

2009-08-11 08:46 <DIR> --d----- c:\program files\Trend Micro

2009-08-11 08:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-11 08:41 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-11 08:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-10 10:43 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-08-10 10:43 <DIR> --d----- c:\program files\Avira

2009-08-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-08-10 10:15 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes

2009-08-10 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-08-10 10:06 <DIR> --d----- c:\docume~1\matt\applic~1\Search Settings

2009-08-10 09:58 <DIR> --d----- c:\program files\Search Settings

2009-08-10 09:58 <DIR> --d----- c:\program files\Free Audio Pack

2009-08-09 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-08-07 10:39 <DIR> --d----- c:\documents and settings\matt\PrivacIE

2009-08-04 13:00 599,552 -c------ c:\windows\system32\dllcache\crypt32.dll

2009-08-04 13:00 177,664 -c------ c:\windows\system32\dllcache\wintrust.dll

2009-08-04 12:53 <DIR> --d----- c:\windows\system32\XPSViewer

2009-08-04 12:52 14,048 -------- c:\windows\system32\spmsg2.dll

2009-08-02 20:44 <DIR> --d----- c:\windows\system32\AGEIA

2009-08-02 20:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-08-02 20:30 <DIR> --d----- c:\program files\Codemasters

2009-08-02 18:40 <DIR> --d----- c:\docume~1\matt\applic~1\ArtificialStudios

2009-08-01 10:21 <DIR> --d----- c:\program files\iPod

2009-08-01 10:21 <DIR> --d----- c:\program files\iTunes

2009-08-01 10:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 19:57 41,872 a------- c:\windows\system32\xfcodec.dll

2009-07-12 20:13 <DIR> --d----- c:\program files\VideoLAN

2009-07-12 18:04 <DIR> --d----- c:\program files\VideoReDoTVSuite

2009-07-12 18:04 <DIR> --d----- c:\docume~1\matt\applic~1\VideoReDo-TVSuite

2009-07-12 16:11 <DIR> --d----- c:\program files\common files\TivoDecode

==================== Find3M ====================

2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll

2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll

2008-08-29 15:01 422,344 a------- c:\program files\setuplog.txt

============= FINISH: 8:48:48.59 ===============

DDSAttach.zip

GmerLog.zip

DDSAttach.zip

GmerLog.zip

Link to post
Share on other sites

Hi SIR CHEECH,

Sorry for the delay, we have been very busy this last month in the Malware Forum.

You have a new variant of a nasty infection. This new variant blocks security programs from running.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

SpySentinel, Hello!

Thanks so much for the reply, it is much appreciated. I followed your instructions to the letter. Unfortunately, combofix doesn't seem to be running. The green progress bar shows, completes and then the programs seems to shut down, no windows appear of any kind.

Are there any alternative measures we could take? I'd rather not reinstall if at all possible.

Thanks again for your assistance!

Link to post
Share on other sites

@SIR CHEECH

No worries, we will try to fix the issue without a reformat :(

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

@everyone else

Everyone else, please do not post to someones HJT thread. Please read Groups authorized to help with HJT logs

Link to post
Share on other sites

Thanks for the continues support SpySentinel, please see Win32kDiag.exe log below.

Hope this helps!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 18:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-04 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 18:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

Finished!

Link to post
Share on other sites

you're welcome.

We Need to remove Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

awesome, ran the scan and report is pasted below ,')

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/18 21:56

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xF746B000 Size: 98304 File Visible: No Signed: -

Status: -

Name:

Image Path:

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: dump_diskdump.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys

Address: 0x9F976000 Size: 16384 File Visible: No Signed: -

Status: -

Name: dump_viaraid.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_viaraid.sys

Address: 0x9E276000 Size: 73728 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0x9B883000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0x9E569000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xAC8D1000 Size: 61440 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: c:\recycler\s-1-5-21-1606980848-1965331169-682003330-1004\info2

Status: Size mismatch (API: 2420, Raw: 1620)

Path: C:\RECYCLER\S-1-5-21-1606980848-1965331169-682003330-1004\Dc3.exe

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\scecli.dll

Status: Locked to the Windows API!

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "a347bus.sys" at address 0xf75bcaf8

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xa5d84466

#: 045 Function Name: NtCreatePagingFile

Status: Hooked by "a347bus.sys" at address 0xf75b0b00

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xa5d8445c

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xa5d8446b

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xa5d84475

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "a347bus.sys" at address 0xf75b1388

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "a347bus.sys" at address 0xf75bcbf0

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xa5d8447a

#: 119 Function Name: NtOpenKey

Status: Hooked by "a347bus.sys" at address 0xf75bca74

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xa5d84448

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xa5d8444d

#: 160 Function Name: NtQueryKey

Status: Hooked by "a347bus.sys" at address 0xf75b13a8

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "a347bus.sys" at address 0xf75bcb46

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xa5d84484

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xa5d8447f

#: 241 Function Name: NtSetSystemPowerState

Status: Hooked by "a347bus.sys" at address 0xf75bc390

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xa5d84470

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xa5d84457

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8a8219f0 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x8a3edbd0 Size: 11

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLOSE]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_READ]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_WRITE]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_EA]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLEANUP]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_POWER]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_PNP]

Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]

Process: System Address: 0x8a26d3b8 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]

Process: System Address: 0x8a1f4cd0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x8a284e18 Size: 11

Object: Hidden Code [Driver: NpfsЅఆ䵃Ψ泰䓰䓰, IRP_MJ_READ]

Process: System Address: 0x8a25d150 Size: 11

Object: Hidden Code [Driver: Msfsȅఈ灐畳ꀈ, IRP_MJ_READ]

Process: System Address: 0x8a26fea8 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]

Process: System Address: 0x8a270c18 Size: 11

Object: Hidden Code [Driver: Cdfsȅᰅ㍨訧佘佘〈託, IRP_MJ_READ]

Process: System Address: 0x8a4ac5e8 Size: 11

==EOF==

Link to post
Share on other sites

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    c:\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Ok, i followed your instructions; step 1 and step 2 seemed to work fine. I then tried to run combofix per your previous instructions in this post, the green progress bar finished and then no further activity. I also re-installed Malwarebytes and updated it, unfortunately, it wouldn't run its scan for more than a couple seconds before closing.

Posted below is the avenger log, i hope it helps.

i appreciate your assistance :(

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Step #1

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #2

Now try running ComboFix and Malwarebytes, then post the logs here.

Link to post
Share on other sites

Great work SpySentinel! The avenger script ran and rebooted the machine twice. After which i got a log (see below).

I attempted to run ComboFix per your previous instructions in this thread. This time the green progress bar ran and I got a message window that stated "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters", it had an OK box and thats as far as i could get with combofix.

I reinstalled Malwarebytes and updated it. IT RAN!!! I did a Quick Scan, results posted below. I still have the dialog window open just in case, so let me know if its ok to Remove the threats :(

btw YOU ARE AWESOME!!

AVENGER LOG

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Error: Script file not found!

Could not open script file! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Abort!

MBAM LOG

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 3

8/19/2009 10:51:32 AM

mbam-log.txt

Scan type: Quick Scan

Objects scanned: 99939

Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

Link to post
Share on other sites

Thanks SIR CHEECH, glad to hear it worked. This is a new nasty infection.

Please run Malwarebytes again, this time when it shows the items it found, please choose to remove them.

Then run ComboFix again and post both logs.

Link to post
Share on other sites

I ran MBAM again and removed the threats (log posted below).

Combofix is still giving me the same error "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters"

MBAM Log

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 3

8/19/2009 11:10:43 AM

mbam-log-2009-08-19 (11-10-43).txt

Scan type: Quick Scan

Objects scanned: 99939

Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

101969MB got the same results, even though i downloaded the file and saved it with that name. On a lark, I deleted that and tried running the program with its standard name ComboFix.exe for some reason it worked. Log posted below.

ComboFix Log

ComboFix 09-08-18.04 - Matt 08/19/2009 12:01.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1524 [GMT -6:00]

Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Search Settings

c:\program files\Search Settings\kb128\SearchSettings.dll

c:\program files\Search Settings\kb128\SearchSettingsRes409.dll

c:\program files\Search Settings\SearchSettings.exe

c:\windows\Installer\180c480.msi

c:\windows\system32\skinboxer43.dll

H:\Autorun.inf

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_uacFlt

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_uacFlt

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix

2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro

2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira

2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes

2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings

2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender

2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE

2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files

2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll

2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll

2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild

2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies

2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA

2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies

2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters

2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games

2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3

2009-08-19 05:10 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam

2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite

2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire

2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer

2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour

2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime

2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update

2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN

2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite

2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode

2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo

2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare

2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp

2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]

"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Steam\\steam.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25708:TCP"= 25708:TCP:bitlord

"6112:TCP"= 6112:TCP:Wc3 1

"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]

S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2

FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\

FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 12:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,

67,66,00,00

"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,

00,92

"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,

6a,64,6f,6e,00,00

"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,

63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,

e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\

"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]

"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,

61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\

"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2628)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-19 12:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 18:10

Pre-Run: 31,765,762,048 bytes free

Post-Run: 33,552,453,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2009-08-19 16:20

Link to post
Share on other sites

Glad to see it worked.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RegNull:

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

This really is a nasty bugger, thanks for sticking with me. Log posted below.

ComboFix 09-08-18.04 - Matt 08/19/2009 14:56.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1606 [GMT -6:00]

Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix

2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro

2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira

2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes

2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings

2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender

2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE

2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files

2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll

2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll

2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild

2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies

2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA

2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies

2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters

2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games

2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes

2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 20:34 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam

2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3

2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite

2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire

2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer

2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour

2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime

2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update

2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN

2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite

2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode

2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared

2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo

2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare

2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp

2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]

"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitLord\\BitLord.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Steam\\steam.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=

"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25708:TCP"= 25708:TCP:bitlord

"6112:TCP"= 6112:TCP:Wc3 1

"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]

S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2

FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\

FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 15:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,

67,66,00,00

"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,

00,92

"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,

6a,64,6f,6e,00,00

"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,

63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,

e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\

"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]

"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,

61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\

"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3336)

c:\windows\system32\WININET.dll

c:\windows\system32\ctagent.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-19 15:06 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 21:05

ComboFix2.txt 2009-08-19 18:10

Pre-Run: 33,569,591,296 bytes free

Post-Run: 33,510,805,504 bytes free

286 --- E O F --- 2009-08-19 16:20

Link to post
Share on other sites

Yes it is very nasty, and new, so we are just getting the hang of how to remove it.

Run ESET Online Scan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

      You can refer to this animation by neomage if needed.
Link to post
Share on other sites

I ran the Eset online scan. Avira had many (10-12) TR/Rootkit.gen hits while the scan was running. I selected all instances to be quarantined. See ESET log below.

C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP448\A0084903.dll a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantined

Link to post
Share on other sites

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Link to post
Share on other sites

SpySentinel, thank you for your continued support

You will find the RSIT logs posted below

RSIT LOG

Logfile of random's system information tool 1.06 (written by random/random)

Run by Matt at 2009-08-20 09:08:31

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 32 GB (21%) free of 153 GB

Total RAM: 2047 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:08:38 AM, on 8/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PerSono\perstray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Matt\Desktop\RSIT.exe

C:\Program Files\trend micro\Matt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto

O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Perstray.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{54817278-1DFB-452A-A80D-FFC599070349}: NameServer = 192.168.0.1,192.168.0.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{54817278-1DFB-452A-A80D-FFC599070349}: NameServer = 192.168.0.1,192.168.0.2

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1c9618821f3d326) (gupdate1c9618821f3d326) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 6242 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

"CTHelper"=C:\WINDOWS\CTHELPER.EXE [2006-08-11 17920]

"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]

"WD_SRT"=C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE [2005-11-18 278528]

"WD Button Manager"=C:\WINDOWS\system32\WDBtnMgr.exe [2009-02-19 364544]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]

"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]

"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"TranscodingService"=C:\Program Files\TiVo\Desktop\TranscodingService.exe [2009-01-27 520192]

"TivoNotify"=C:\Program Files\TiVo\Desktop\TiVoNotify.exe [2009-01-27 425472]

"TivoServer"=C:\Program Files\TiVo\Desktop\TiVoServer.exe [2009-01-27 2143232]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Perstray.lnk - C:\Program Files\PerSono\perstray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2008-07-03 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"

"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"

"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"

"C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe"="C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe:LocalSubNet:Enabled:Adobe After Effects CS3"

"C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe"="C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe:LocalSubNet:Enabled:Adobe Bridge CS3"

"C:\Program Files\Adobe\Adobe Device Central CS3\DeviceCentral.exe"="C:\Program Files\Adobe\Adobe Device Central CS3\DeviceCentral.exe:LocalSubNet:Enabled:Adobe Device Central CS3"

"C:\Program Files\Adobe\Adobe Encore CS3\Adobe Encore.exe"="C:\Program Files\Adobe\Adobe Encore CS3\Adobe Encore.exe:LocalSubNet:Enabled:Adobe Encore CS3"

"C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit 2\ExtendScript Toolkit 2.exe"="C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit 2\ExtendScript Toolkit 2.exe:LocalSubNet:Enabled:Adobe ExtendScript Toolkit 2"

"C:\Program Files\Adobe\Adobe Extension Manager\Extension Manager.exe"="C:\Program Files\Adobe\Adobe Extension Manager\Extension Manager.exe:LocalSubNet:Enabled:Adobe Extension Manager CS3"

"C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe"="C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe:LocalSubNet:Enabled:Adobe Flash CS3 Professional"

"C:\Program Files\Adobe\Adobe Flash CS3 Video Encoder\Flash Video Encoder.exe"="C:\Program Files\Adobe\Adobe Flash CS3 Video Encoder\Flash Video Encoder.exe:LocalSubNet:Enabled:Adobe Flash CS3 Video Encoder"

"C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe"="C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe:LocalSubNet:Enabled:Adobe Illustrator CS3"

"C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe"="C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe:LocalSubNet:Enabled:Adobe Photoshop CS3"

"C:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe"="C:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe:LocalSubNet:Enabled:Adobe Premiere Pro CS3"

"C:\Program Files\Adobe\Adobe Soundbooth CS3\Adobe Soundbooth CS3.exe"="C:\Program Files\Adobe\Adobe Soundbooth CS3\Adobe Soundbooth CS3.exe:LocalSubNet:Enabled:Adobe Soundbooth CS3"

"C:\Program Files\Adobe\Adobe Stock Photos CS3\Adobe Stock Photos CS3.exe"="C:\Program Files\Adobe\Adobe Stock Photos CS3\Adobe Stock Photos CS3.exe:LocalSubNet:Enabled:Adobe Stock Photos CS3"

"C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe"="C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe:*:Enabled:Acrobat.com"

"C:\Program Files\Adobe\Adobe OnLocation CS3\Adobe OnLocation.exe"="C:\Program Files\Adobe\Adobe OnLocation CS3\Adobe OnLocation.exe:LocalSubNet:Enabled:Adobe OnLocation CS3"

"C:\Program Files\Adobe\Adobe InDesign CS3\InDesign.exe"="C:\Program Files\Adobe\Adobe InDesign CS3\InDesign.exe:LocalSubNet:Enabled:Adobe InDesign CS3"

"C:\Program Files\Google\Google SketchUp 6\SketchUp.exe"="C:\Program Files\Google\Google SketchUp 6\SketchUp.exe:LocalSubNet:Enabled:Google SketchUp"

"C:\Program Files\Google\Google SketchUp 6\LayOut\LayOut.exe"="C:\Program Files\Google\Google SketchUp 6\LayOut\LayOut.exe:LocalSubNet:Enabled:LayOut"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"

"C:\Program Files\Warcraft III\Warcraft III.exe"="C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"

"C:\Program Files\Steam\steam.exe"="C:\Program Files\Steam\steam.exe:*:Disabled:Steam"

"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\Program Files\WinSCP\WinSCP.exe"="C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:SFTP, FTP and SCP client"

"C:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exe"="C:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exe:*:Enabled:Fallout3"

"C:\Program Files\Steam\steamapps\gumachi\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\gumachi\team fortress 2\hl2.exe:*:Disabled:hl2"

"C:\Program Files\Steam\steamapps\gumachi\synergy dedicated server\srcds.exe"="C:\Program Files\Steam\steamapps\gumachi\synergy dedicated server\srcds.exe:*:Enabled:srcds"

"C:\Program Files\Steam\steamapps\gumachi\synergy\hl2.exe"="C:\Program Files\Steam\steamapps\gumachi\synergy\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Steam\steamapps\common\fear2\FEAR2.exe"="C:\Program Files\Steam\steamapps\common\fear2\FEAR2.exe:*:Enabled:F.E.A.R. 2: Project Origin"

"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service"

"C:\Program Files\TiVo\Desktop\TiVoServer.exe"="C:\Program Files\TiVo\Desktop\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service"

"C:\Program Files\TiVo\Desktop\TiVoDesktop.exe"="C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface"

"C:\Program Files\TiVo\Desktop\curl.exe"="C:\Program Files\TiVo\Desktop\curl.exe:LocalSubNet:Enabled:TiVo Curl Service"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\Program Files\Codemasters\Turning Point - Fall of Liberty\Binaries\LTCG-TPGame.exe"="C:\Program Files\Codemasters\Turning Point - Fall of Liberty\Binaries\LTCG-TPGame.exe:*:Enabled:Turning Point - Fall of Liberty"

"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"

"C:\Program Files\CINEMA 4D R10\CINEMA 4D.exe"="C:\Program Files\CINEMA 4D R10\CINEMA 4D.exe:LocalSubNet:Disabled:Shortcut to CINEMA 4D"

"C:\Program Files\CINEMA 4D R10\NET Render Client.exe"="C:\Program Files\CINEMA 4D R10\NET Render Client.exe:LocalSubNet:Disabled:Shortcut to NET Render Client"

"C:\Program Files\CINEMA 4D R10\NET Render Server.exe"="C:\Program Files\CINEMA 4D R10\NET Render Server.exe:LocalSubNet:Disabled:Shortcut to NET Render Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a77df396-4096-11dc-a846-000f3dae33e2}]

shell\AutoRun\command - G:\LaunchU3.exe -a

======List of files/folders created in the last 1 months======

2009-08-20 09:08:31 ----D---- C:\rsit

2009-08-19 15:23:54 ----D---- C:\Program Files\ESET

2009-08-19 15:06:03 ----D---- C:\WINDOWS\temp

2009-08-19 15:06:02 ----A---- C:\ComboFix.txt

2009-08-19 12:00:53 ----A---- C:\Boot.bak

2009-08-19 12:00:49 ----RASHD---- C:\cmdcons

2009-08-19 11:59:39 ----A---- C:\WINDOWS\zip.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWSC.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWREG.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\sed.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\PEV.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\NIRCMD.exe

2009-08-19 11:59:39 ----A---- C:\WINDOWS\grep.exe

2009-08-19 10:41:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-08-19 10:36:10 ----SD---- C:\Combo-Fix

2009-08-19 10:36:10 ----D---- C:\WINDOWS\ERDNT

2009-08-19 10:36:07 ----D---- C:\Qoobox

2009-08-18 22:04:39 ----A---- C:\RootRepeal report 08-18-09 (22-04-39).txt

2009-08-17 17:03:09 ----D---- C:\Program Files\Windows Live Safety Center

2009-08-12 23:24:44 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$

2009-08-12 23:24:39 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$

2009-08-12 23:24:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$

2009-08-12 23:24:28 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$

2009-08-12 23:24:22 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$

2009-08-12 23:24:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$

2009-08-12 23:24:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$

2009-08-12 23:24:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$

2009-08-12 23:23:25 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$

2009-08-11 08:46:00 ----D---- C:\Program Files\Trend Micro

2009-08-10 10:43:12 ----D---- C:\Program Files\Avira

2009-08-10 10:43:12 ----D---- C:\Documents and Settings\All Users\Application Data\Avira

2009-08-10 10:15:38 ----D---- C:\Documents and Settings\Matt\Application Data\Malwarebytes

2009-08-10 10:15:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-08-10 10:06:44 ----D---- C:\Documents and Settings\Matt\Application Data\Search Settings

2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\WMAFile.dll

2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudPlayer.dll

2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioVisu.dll

2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioRecord.dll

2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioInfos.dll

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\VB6FR.DLL

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\TABCTFR.DLL

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\inetfr.DLL

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudFile.dll

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudDisplay.dll

2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudDesign.dll

2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL

2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\Mscc2fr.dll

2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL

2009-08-10 09:58:15 ----D---- C:\Program Files\Free Audio Pack

2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\msvcr70.dll

2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\MFC71.dll

2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\lame_enc.dll

2009-08-09 22:31:45 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$

2009-08-07 12:17:09 ----D---- C:\Program Files\Windows Defender

2009-08-04 13:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB938759$

2009-08-04 12:57:04 ----D---- C:\Program Files\MSBuild

2009-08-04 12:53:24 ----D---- C:\WINDOWS\system32\XPSViewer

2009-08-04 12:52:45 ----D---- C:\Program Files\Reference Assemblies

2009-08-04 12:52:11 ----N---- C:\WINDOWS\system32\spmsg2.dll

2009-08-02 20:44:54 ----D---- C:\WINDOWS\system32\AGEIA

2009-08-02 20:44:53 ----D---- C:\Program Files\AGEIA Technologies

2009-08-02 20:44:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-08-02 20:30:25 ----D---- C:\Program Files\Codemasters

2009-08-02 18:40:21 ----D---- C:\Documents and Settings\Matt\Application Data\ArtificialStudios

2009-08-01 10:21:37 ----D---- C:\Program Files\iPod

2009-08-01 10:21:33 ----D---- C:\Program Files\iTunes

2009-08-01 10:21:33 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 19:57:06 ----A---- C:\WINDOWS\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2009-08-20 09:08:32 ----D---- C:\WINDOWS\Prefetch

2009-08-20 09:07:04 ----D---- C:\Program Files\Mozilla Firefox

2009-08-20 09:06:31 ----D---- C:\WINDOWS\system32\CatRoot2

2009-08-20 09:06:24 ----D---- C:\WINDOWS

2009-08-20 09:05:49 ----D---- C:\WINDOWS\system32

2009-08-20 09:04:49 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-08-20 09:04:38 ----A---- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-10071102}.BAK

2009-08-20 09:04:23 ----HD---- C:\WINDOWS\inf

2009-08-20 09:04:16 ----D---- C:\WINDOWS\system32\en-us

2009-08-19 19:41:47 ----D---- C:\Program Files\Steam

2009-08-19 15:23:54 ----RD---- C:\Program Files

2009-08-19 15:06:04 ----D---- C:\WINDOWS\system32\drivers

2009-08-19 15:01:24 ----A---- C:\WINDOWS\system.ini

2009-08-19 14:58:09 ----D---- C:\WINDOWS\AppPatch

2009-08-19 14:58:08 ----D---- C:\Program Files\Common Files

2009-08-19 12:10:02 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-08-19 12:04:18 ----D---- C:\WINDOWS\system32\config

2009-08-19 12:03:44 ----SHD---- C:\WINDOWS\Installer

2009-08-19 12:00:53 ----RASH---- C:\boot.ini

2009-08-19 11:44:54 ----D---- C:\Documents and Settings\Matt\Application Data\U3

2009-08-19 11:10:43 ----SD---- C:\WINDOWS\Tasks

2009-08-17 17:03:10 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-08-16 10:41:12 ----D---- C:\Documents and Settings\Matt\Application Data\VideoReDo-TVSuite

2009-08-16 10:38:09 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

2009-08-12 23:24:41 ----A---- C:\WINDOWS\imsins.BAK

2009-08-12 23:24:27 ----HD---- C:\WINDOWS\$hf_mig$

2009-08-12 23:24:14 ----D---- C:\Program Files\Outlook Express

2009-08-11 00:33:17 ----D---- C:\WINDOWS\WinSxS

2009-08-11 00:13:08 ----SD---- C:\Documents and Settings\Matt\Application Data\Microsoft

2009-08-11 00:12:00 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-09 22:31:59 ----D---- C:\WINDOWS\system32\CatRoot

2009-08-08 16:38:05 ----D---- C:\WINDOWS\Microsoft.NET

2009-08-08 16:38:02 ----RSD---- C:\WINDOWS\assembly

2009-08-08 15:53:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-08-08 15:43:59 ----RSD---- C:\WINDOWS\Fonts

2009-08-08 15:38:49 ----D---- C:\Program Files\Internet Explorer

2009-08-07 12:10:02 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

2009-08-07 11:50:16 ----D---- C:\WINDOWS\pchealth

2009-08-05 03:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll

2009-08-04 19:42:31 ----D---- C:\Documents and Settings\Matt\Application Data\Xfire

2009-08-04 12:52:28 ----D---- C:\WINDOWS\system32\spool

2009-08-02 20:45:09 ----DC---- C:\WINDOWS\system32\DRVSTORE

2009-08-02 20:44:24 ----D---- C:\WINDOWS\system32\DirectX

2009-08-01 11:52:34 ----D---- C:\Documents and Settings\Matt\Application Data\Apple Computer

2009-08-01 10:20:35 ----D---- C:\Program Files\Bonjour

2009-07-30 11:31:02 ----D---- C:\Program Files\Xfire

2009-07-29 18:49:14 ----A---- C:\WINDOWS\system32\MRT.exe

2009-07-23 08:18:02 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []

R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]

R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-09-27 279712]

R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]

R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]

R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-09-27 25888]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 344800]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]

R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-07-04 3230720]

R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-08-11 502272]

R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2006-08-11 499584]

R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-08-11 7168]

R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-08-11 143872]

R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-08-11 78336]

R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]

R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2006-08-11 766976]

R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2006-08-11 154112]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]

R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-08-11 116224]

R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]

S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []

S3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS []

S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS []

S3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS []

S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS []

S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-11-10 340704]

S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS []

S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS []

S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]

S3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS []

S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS []

S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]

S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]

S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2006-08-11 180224]

S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys []

S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys []

S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]

S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]

S3 WD_FireWire_HID;WD FireWire Pseudo-HID driver; C:\WINDOWS\system32\DRIVERS\wdfwhid.sys [2006-03-22 17408]

S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]

S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-07-03 561152]

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]

R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]

S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-07-03 593920]

S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-10 133104]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-08-01 654848]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]

S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

RSIT INFO

info.txt logfile of random's system information tool 1.06 2009-08-20 09:08:41

======Uninstall list======

-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}

-->MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79B4539B-F3F8-4239-885E-025F12DBC86B}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79B4539B-F3F8-4239-885E-025F12DBC86B}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8325E66-E1C8-43C1-AA6A-F99C024A8C96}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8325E66-E1C8-43C1-AA6A-F99C024A8C96}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}

Add or Remove Adobe Creative Suite 3 Production Premium-->C:\Program Files\Common Files\Adobe\Installers\aefc483f26b23ab60cc5653016d5017\Setup.exe

Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}

Adobe After Effects CS3 Template Projects & Footage-->MsiExec.exe /I{73E81E9B-7319-43AD-B7CC-1C61405E5089}

Adobe After Effects CS3 Third Party Content-->MsiExec.exe /I{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}

Adobe After Effects CS3-->MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}

Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall

Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}

Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}

Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}

Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}

Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}

Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}

Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}

Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}

Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe

Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}

Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}

Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}

Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}

Adobe Creative Suite 3 Production Premium-->MsiExec.exe /I{40F2BCF4-4EED-4AD4-BFB6-A58946C561A1}

Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}

Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}

Adobe Encore CS3 Codecs-->MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}

Adobe Encore CS3 Library-->MsiExec.exe /I{F1D93F5B-881F-49E3-BA56-B4B8FA991059}

Adobe Encore CS3-->MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}

Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe

Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}

Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}

Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}

Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}

Adobe Glyphlet Creation Tool CS3-->MsiExec.exe /I{243DA072-8E39-424A-86A3-F63152021383}

Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}

Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}

Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}

Adobe InDesign CS3-->C:\Program Files\Common Files\Adobe\Installers\05ba3a63f36684fe0c5dde2ebe6f8f5\Setup.exe

Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}

Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}

Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}

Adobe OnLocation CS3-->C:\Program Files\InstallShield Installation Information\{FFB278E6-2945-4FF0-8F3F-268CDD09FCF6}\Setup.exe -runfromtemp -l0x0409

Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}

Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}

Adobe Premiere Pro CS3 Functional Content-->MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}

Adobe Premiere Pro CS3 Third Party Content-->MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}

Adobe Premiere Pro CS3-->MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}

Adobe Reader 9.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}

Adobe Setup-->MsiExec.exe /I{56B8B892-317E-4FDE-9E4D-44B189848A27}

Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}

Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}

Adobe Setup-->MsiExec.exe /I{BA67E3E1-25EE-4481-857D-D3CA99DA71C8}

Adobe SING CS3-->MsiExec.exe /I{3F9B2FD2-1C83-4401-9967-C3636638E958}

Adobe Soundbooth CS3 Codecs-->MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}

Adobe Soundbooth CS3 Scores-->MsiExec.exe /I{92A300C0-E97B-48CC-9702-AB1AAED167E1}

Adobe Soundbooth CS3-->MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}

Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}

Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}

Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}

Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}

Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}

Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}

Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}

Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}

AGEIA PhysX v7.09.13-->MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}

AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}

Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE

BitLord 1.1-->C:\Program Files\BitLord\uninst.exe

Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}

Combined Community Codec Pack 2008-01-24-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"

Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove

Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove

Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove

Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"

EA Download Manager-->C:\Program Files\Electronic Arts\EADM\Uninstall.exe

ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe

F.E.A.R. 2: Project Origin-->"C:\Program Files\Steam\steam.exe" steam://uninstall/16450

Fable - The Lost Chapters-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}

Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly

Free Mp3 Wma Converter V 1.8.0-->"C:\Program Files\Free Audio Pack\unins000.exe"

Google Chrome-->"C:\Program Files\Google\Chrome\Application\2.0.172.39\Installer\setup.exe" --uninstall --system-level

Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}

Google SketchUp 6 Exporters-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB459C2F-41CA-4222-B9CA-F8EBA40B8DAB}\setup.exe" -l0x9 -removeonly

Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly

Google SketchUp LayOut 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C12D609B-EB71-411B-82C3-9BE6D40435D7}\setup.exe" -l0x9 -removeonly

Google SketchUp Pro 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12E75B98-8463-4C1F-8DDA-F6CF31566A55}\setup.exe" -l0x9 -removeonly

Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

Haali Media Splitter-->"C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"

Half-Life 2: Episode One-->"C:\Program Files\Steam\steam.exe" steam://uninstall/380

Half-Life 2: Episode Two-->"C:\Program Files\Steam\steam.exe" steam://uninstall/420

Half-Life 2: Lost Coast-->"C:\Program Files\Steam\steam.exe" steam://uninstall/340

Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB938759)-->"C:\WINDOWS\$NtUninstallKB938759$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}

Java 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

JGsoft EditPad Lite 5.3.0-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadLite\Deploy.log"

Left 4 Dead-->"C:\Program Files\Steam\steam.exe" steam://uninstall/500

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Maxwell-->C:\Program Files\Next Limit\Maxwell\uninstall.exe

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}

Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

MINERVA: Metastasis-->C:\PROGRA~1\Steam\STEAMA~1\SOURCE~1\METAST~1\UNWISE.EXE C:\PROGRA~1\Steam\STEAMA~1\SOURCE~1\METAST~1\metastasis.log

MobileMe Control Panel-->MsiExec.exe /I{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}

Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP

MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}

Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

PDF Settings-->MsiExec.exe /I{DC017035-1939-425F-8F86-63B462C76C6A}

PerSono-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D63F2860-678D-11D4-B355-0010A4F75374}\setup.exe"

QuickTime MPEG2-->MsiExec.exe /I{12EAE4F0-8770-451C-B4AD-76B569678973}

QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}

Search Settings 1.2.1-->MsiExec.exe /X{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}

Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}

Synergy-->"C:\Program Files\Steam\steam.exe" steam://uninstall/17520

Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440

The Core Media Player 4.0-->"C:\Program Files\CoreCodec\The Core Media Player\uninstall-tcmp4.exe"

TiVo Desktop 2.7-->MsiExec.exe /I{4E839090-3B68-436A-B3CF-A2A08C38DD26}

TiVo Desktop 2.7-->MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}

Turning Point - Fall of Liberty-->"C:\Program Files\InstallShield Installation Information\{D4FEA244-A9BC-4727-8EA9-B369579F43CF}\setup.exe" -runfromtemp -l0x0409 -removeonly

Turning Point - Fall of Liberty-->MsiExec.exe /X{D4FEA244-A9BC-4727-8EA9-B369579F43CF}

Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"

Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

VideoReDo TVSuite Version 3.1.4.549-->"C:\Program Files\VideoReDoTVSuite\unins000.exe"

WD Firewire HID Driver-->MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}

WD Win98 SE USB Disk Driver, v1.00.09-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F512339-216D-4FBE-8A83-3EDCC3F03F51}\setup.exe" -l0x9 -removeonly

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"

Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT

Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"

Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}

Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

WinSCP 4.1.7-->"C:\Program Files\WinSCP\unins000.exe"

Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: D1

Event Code: 7009

Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 91

Source Name: Service Control Manager

Time Written: 20090819120121.000000-360

Event Type: error

User:

Computer Name: D1

Event Code: 7009

Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 90

Source Name: Service Control Manager

Time Written: 20090819120120.000000-360

Event Type: error

User:

Computer Name: D1

Event Code: 7009

Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 89

Source Name: Service Control Manager

Time Written: 20090819120118.000000-360

Event Type: error

User:

Computer Name: D1

Event Code: 7026

Message: The following boot-start or system-start driver(s) failed to load:

PCIIde

Record Number: 57

Source Name: Service Control Manager

Time Written: 20090819111247.000000-360

Event Type: error

User:

Computer Name: D1

Event Code: 7026

Message: The following boot-start or system-start driver(s) failed to load:

PCIIde

Record Number: 29

Source Name: Service Control Manager

Time Written: 20090819103403.000000-360

Event Type: error

User:

=====Application event log=====

Computer Name: D1

Event Code: 1524

Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2953

Source Name: Userenv

Time Written: 20090330140507.000000-360

Event Type: warning

User: D1\Matt

Computer Name: D1

Event Code: 1517

Message: Windows saved user D1\Matt registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2944

Source Name: Userenv

Time Written: 20090330121833.000000-360

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: D1

Event Code: 1524

Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2943

Source Name: Userenv

Time Written: 20090330121826.000000-360

Event Type: warning

User: D1\Matt

Computer Name: D1

Event Code: 1517

Message: Windows saved user D1\Matt registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2934

Source Name: Userenv

Time Written: 20090329223059.000000-360

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: D1

Event Code: 1524

Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2933

Source Name: Userenv

Time Written: 20090329223053.000000-360

Event Type: warning

User: D1\Matt

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel

"PROCESSOR_REVISION"=0304

"NUMBER_OF_PROCESSORS"=2

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"MAXWELL_ROOT"=C:\Program Files\Next Limit\Maxwell

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

Link to post
Share on other sites

My computer is running much better thanks completely to your expert advice and assistance. I have dropped 4 unnecessary processes from the task manager, google links are performing properly, malwarebytes runs. I'm completely stoked!

I did a final run of malwarebytes and avira a few loose ends turned up. I'm happy to say though that avira ran for the first time without having 20 or so instances of TR/Rootkit.gen infections turning up. Also its showing that a complete system scan has occurred, where before, no matter how many times i scanned my system, it never showed up as having a complete system scan done. If you are so inclined, please take a glance at the logs below and let me know if you deem any further action need be taken.

and by the way

THANK YOU VERY MUCH <_<

MBAM Log

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 3

8/20/2009 12:37:08 PM

mbam-log-2009-08-20 (12-37-08).txt

Scan type: Full Scan (C:\|G:\|H:\|)

Objects scanned: 343414

Time elapsed: 2 hour(s), 22 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP446\A0083757.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP448\A0084905.exe (Trojan.Banker) -> Quarantined and deleted successfully.

AVIRA Log

Avira AntiVir Personal

Report file date: Thursday, August 20, 2009 12:48

Scanning for 1649952 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : D1

Version information:

BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00

AVSCAN.EXE : 9.0.3.7 466689 Bytes 8/14/2009 16:44:00

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 16:21:42

ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 8/10/2009 21:01:53

ANTIVIR3.VDF : 7.1.5.142 435712 Bytes 8/20/2009 16:44:07

Engineversion : 8.2.1.3

AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 20:31:50

AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/12/2009 16:44:55

AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 16:59:39

AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 16:59:39

AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 20:31:50

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 16:59:39

AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/18/2009 16:48:05

AEHELP.DLL : 8.1.6.0 233846 Bytes 8/18/2009 16:47:13

AEGEN.DLL : 8.1.1.57 356725 Bytes 8/18/2009 16:47:07

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40

AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 16:59:39

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 22:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 22:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 17:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, G:, H:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+JOKE,+PCK,+SPR,

Start of the scan: Thursday, August 20, 2009 12:48

Starting search for hidden objects.

'60109' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'TiVoTransfer.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned

Scan process 'PersTray.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'TiVoServer.exe' - '1' Module(s) have been scanned

Scan process 'TiVoNotify.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'TranscodingService.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned

Scan process 'WD_SRT.exe' - '1' Module(s) have been scanned

Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

39 processes with 39 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'G:\'

[iNFO] No virus was found!

Boot sector 'H:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '54' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Program Files\Internet Explorer\iexplore.exe

[WARNING] The file could not be opened!

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[WARNING] The file could not be opened!

C:\WINDOWS\system32\MRT.exe

[WARNING] The file could not be opened!

Begin scan in 'G:\' <JESUS>

G:\

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.