Jump to content

Malwarebytes and other scanners getting blocked by virus.


Recommended Posts

Okay, seems like I have a similar problem as SIR CHEECH and I NEED HELP, who have posted in this forum. I've checked through SIR CHEECH's topic, but the process seemed personalized for him.

HiJackThis, malwarebytes, and other scanners terminate after starting the scan. Afterward, when trying to start up the program again, it gives the error "Windows cannot access specified device, path, or file. You may not have appropriate permissions to access them." In task manager, when I first noticed the virus, I found a process called "a.exe" and ended the process since it was never there before. It never showed up again.

Whenever I clicked on a google link, it redirected to another page. Now 20 minutes ago, it seems as though the google links are okay though I haven't done anything, or at least I don't think I did anything, that would resolve the google issue.

Now the only noticeable problem is that scanners such as HiJackThis and Malwarebytes become blocked after terminating immediately after the start of scanning.

I don't know if this will help, but here's a log of Win32kDiag.

Log file is located at: C:\Documents and Settings\Owen\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-299502267-1292428093-682003330-1003\S-1-5-21-299502267-1292428093-682003330-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 01:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Lang\Lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only,

the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

@ stevie09,

You will need to start your own thread, as these instructions are specific to this machine.

@Gala,

Please do the following.

----------------------------------------------------------------------------------------

Step 1

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it fix1.bat Please save it on your desktop.

@Echo Off

copy C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll C:\eventlog.dll

If exist C:\eventlog.dll (@Echo Please Continue) Else (@Echo Copy Failed ... Please report this message)

Pause

del /q %0

Double click on fix1.bat

This should only take a moment, and you will see a message.

----------------------------------------------------------------------------------------

Step 2

Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\eventlog.dll |C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

----------------------------------------------------------------------------------------

Step 3

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it Win32.bat Please save it on your desktop ( IT MUST BE NEXT TO win32kdiag.exe ).

@Echo Off

CD %~dp0

If not exist win32kdiag.exe (@Echo File not found)&&Exit

win32kdiag.exe -f -r

del /q %0

Double click on Win32.bat

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

----------------------------------------------------------------------------------------

Step 4

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • Avenger Log
  • Win32kDiag Log
  • Combofix Log
  • How are things running now ?

Link to post
Share on other sites

Thanks for helping Katana. Here are the logs in the order that was requests in the reply.

The Google links being redirected problem, which started acting up again before the process, is now not redirecting me to a random web page. Malwarebytes and other like programs still have the permission error.

Avenger Log File

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+

Win32kDiag Log File

Log file is located at: C:\Documents and Settings\Owen\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\AppPatch\Custom\Custom

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 01:56:52 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:52 743936 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-299502267-1292428093-682003330-1003\S-1-5-21-299502267-1292428093-682003330-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-299502267-1292428093-682003330-1003\S-1-5-21-299502267-1292428093-682003330-1003

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ACE\ACE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Lang\Lang

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Lang\Lang

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Temp\Temp

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Found mount point : C:\WINDOWS\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Temp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

Link to post
Share on other sites

ComboFix Log

ComboFix 09-08-28.01 - Owen 2009/08/28 14:49.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.2046.1523 [GMT -7:00]

Running from: c:\documents and settings\Owen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\bc4d1.msi

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-26 21:15 . 2009-08-26 21:15 -------- d-----w- c:\program files\Apple Pie

2009-08-26 20:58 . 2009-08-26 20:58 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-26 20:08 . 2009-08-26 20:57 -------- d-----w- c:\documents and settings\Owen\.housecall6.6

2009-08-26 19:04 . 2009-08-27 02:03 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-08-26 19:04 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 5.0 DIAMOND

2009-08-26 19:04 . 2009-08-27 02:06 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND dlingskull

2009-08-26 10:27 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND(2)

2009-08-26 07:26 . 2009-08-26 20:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-26 07:26 . 2009-08-26 07:26 -------- d-----w- c:\documents and settings\Owen\Application Data\SUPERAntiSpyware.com

2009-08-26 07:22 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-08-26 07:22 . 2009-08-26 07:22 -------- d-----w- c:\program files\Panda Security

2009-08-26 02:40 . 2009-08-26 02:43 -------- d-----w- c:\windows\svhost

2009-08-25 01:19 . 2009-08-27 02:33 -------- d-----w- C:\vcs5BGEffects

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\vcs5core

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\AV_LOGS

2009-08-24 07:24 . 2009-08-24 07:25 -------- d-----w- c:\documents and settings\Owen\Application Data\Ventrilo

2009-08-24 07:22 . 2009-08-24 07:22 -------- d-----w- c:\program files\Ventrilo

2009-08-16 19:42 . 2009-08-16 19:42 -------- d-----w- c:\program files\THQICE

2009-08-16 17:58 . 2009-08-16 17:58 -------- d-----w- c:\program files\CiB Net Station

2009-08-11 19:38 . 2009-08-11 19:38 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe

2009-08-11 19:09 . 2009-08-11 20:09 -------- d-----w- c:\program files\Jade Empire

2009-08-11 01:05 . 2009-08-16 19:35 -------- d-----w- c:\program files\Activision

2009-08-06 18:13 . 2009-08-06 18:13 -------- d-----w- c:\program files\FLV Player

2009-08-06 17:21 . 2009-08-06 17:38 -------- d-s---w- C:\Combo-Fix

2009-08-06 17:01 . 2009-08-06 17:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-06 17:00 . 2009-08-06 17:00 152576 ----a-w- c:\documents and settings\Owen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-06 01:21 . 2009-08-06 01:21 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-06 01:17 . 2009-08-06 08:31 -------- d-----w- c:\program files\Common Files\Real

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Real

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 21:59 . 2008-07-03 19:19 -------- d-----w- c:\program files\Steam

2009-08-28 21:59 . 2008-09-10 22:07 -------- d-----w- c:\program files\DNA

2009-08-28 21:59 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\DNA

2009-08-26 19:58 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\BitTorrent

2009-08-26 19:21 . 2009-02-12 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 19:09 . 2008-06-26 23:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-26 07:18 . 2009-03-22 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-26 05:24 . 2008-09-20 00:08 -------- d-----w- c:\documents and settings\Owen\Application Data\GetRightToGo

2009-08-16 19:35 . 2008-06-26 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-14 00:38 . 2008-07-01 00:36 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

2009-08-14 00:38 . 2008-07-01 00:36 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll

2009-08-14 00:38 . 2008-07-01 00:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll

2009-08-14 00:38 . 2008-07-01 00:36 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll

2009-08-14 00:38 . 2008-07-01 00:36 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll

2009-08-14 00:38 . 2008-07-01 00:36 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe

2009-08-14 00:19 . 2008-12-21 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-08-06 17:00 . 2008-07-10 03:07 -------- d-----w- c:\program files\Java

2009-08-06 01:25 . 2009-05-07 01:03 -------- d-----w- c:\program files\Persona

2009-08-06 01:17 . 2008-07-14 02:24 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-08-06 01:17 . 2003-08-28 11:43 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-08-05 03:21 . 2008-10-12 04:07 -------- d-----w- c:\program files\PeerGuardian2

2009-08-03 20:36 . 2009-02-12 04:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-02-12 04:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-28 07:54 . 2009-07-28 07:54 -------- d-----w- c:\documents and settings\Owen\Application Data\RenPy

2009-07-25 00:52 . 2009-07-25 00:52 -------- d-----w- c:\documents and settings\Owen\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1

2009-07-24 22:05 . 2009-07-24 22:05 56 --sh--r- c:\windows\system32\787CE2ABF3.sys

2009-07-24 22:05 . 2009-07-24 22:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-07-24 15:26 . 2009-07-24 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-24 15:25 . 2008-07-19 19:55 38208 ----a-w- c:\documents and settings\Owen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-20 07:17 . 2009-07-20 07:17 -------- d-----w- c:\program files\Eushully

2009-07-13 03:39 . 2009-07-13 03:39 -------- d-----w- c:\program files\Enterbrain

2009-07-13 03:38 . 2009-07-13 03:38 -------- d-----w- c:\program files\Common Files\Enterbrain

2009-07-02 00:59 . 2009-07-02 00:59 -------- d-----w- c:\program files\ASCII

2009-06-27 18:55 . 2009-06-05 08:01 25 ----a-w- c:\windows\popcinfot.dat

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_4FD69CC5689BDA0580DB6A.exe

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_21F066876BD0F768612CBC.exe

2009-05-31 14:26 . 2009-05-31 14:26 51304 ----a-w- c:\windows\system32\drivers\atnt40k.sys

2009-05-31 14:26 . 2009-05-31 14:26 186443 ----a-w- c:\windows\system32\atasnt40.dll

2009-05-31 14:25 . 2009-05-31 13:03 19104 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-05-31 14:25 . 2009-05-31 13:03 105632 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-05-31 13:51 . 2009-05-31 13:03 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-05-31 13:03 . 2009-05-31 13:03 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

------- Sigcheck -------

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[7] 2004-08-04 08:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-06_17.36.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-28 21:59 . 2009-08-28 21:59 16384 c:\windows\temp\Perflib_Perfdata_924.dat

+ 2009-08-28 21:59 . 2009-08-28 21:59 16384 c:\windows\temp\Perflib_Perfdata_5fc.dat

+ 2004-08-04 08:56 . 2004-08-04 08:56 55808 c:\windows\system32\logevent.dll

+ 2009-08-26 07:11 . 2009-08-26 20:58 149092 c:\windows\system32\Restore\rstrlog.dat

+ 2009-08-25 11:12 . 2009-08-25 11:12 253952 c:\windows\system32\config\systemprofile\ntuser.dat

+ 2009-08-26 02:40 . 2009-05-09 11:40 643072 c:\windows\svhost\setup.exe

+ 2009-08-24 07:22 . 2009-08-24 07:22 683520 c:\windows\Installer\5a870242.msi

+ 2009-08-26 02:40 . 2009-05-09 02:36 33442240 c:\windows\svhost\software.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2009-06-12 1217784]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-05 307200]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-26 16264192]

c:\documents and settings\Owen\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-17 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Steam\\SteamApps\\owenlin0\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56252:TCP"= 56252:TCP:Pando Media Booster

"56252:UDP"= 56252:UDP:Pando Media Booster

"<NO NAME>"=

"57268:TCP"= 57268:TCP:Pando Media Booster

"57268:UDP"= 57268:UDP:Pando Media Booster

"56110:TCP"= 56110:TCP:Pando Media Booster

"56110:UDP"= 56110:UDP:Pando Media Booster

"8395:TCP"= 8395:TCP:League of Legends Launcher

"8395:UDP"= 8395:UDP:League of Legends Launcher

"8396:TCP"= 8396:TCP:League of Legends Launcher

"8396:UDP"= 8396:UDP:League of Legends Launcher

"8397:TCP"= 8397:TCP:League of Legends Launcher

"8397:UDP"= 8397:UDP:League of Legends Launcher

"8398:TCP"= 8398:TCP:League of Legends Launcher

"8398:UDP"= 8398:UDP:League of Legends Launcher

"8399:TCP"= 8399:TCP:League of Legends Launcher

"8399:UDP"= 8399:UDP:League of Legends Launcher

"57618:TCP"= 57618:TCP:Pando Media Booster

"57618:UDP"= 57618:UDP:Pando Media Booster

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008/11/14 0:08 24652]

S3 cpuz130;cpuz130;\??\c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

S3 HookProtect;HookProtect;\??\c:\steps\element\HookProtect.sys --> c:\steps\element\HookProtect.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007/11/06 13:22 34064]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]

S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys --> c:\windows\system32\XDva215.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-03 02:35]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

FF - ProfilePath - c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMXENG.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.notify.interval - 600000

FF - user.js: content.switch.threshold - 1000000

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: browser.sessionstore.resume_from_crash - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-28 14:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\q0・`0`0・q0\T嶐l\sYM0・・h0U0・・F*E*]

"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"?慴"=hex:a9,93,2a,e4,5d,a6,c2,59,0d,a5,5c,65,4c,2e,e2,bb,72,57,ae,d5,96,03,68,

82,07,48,1f,77,f3,2a,47,6f,0c,87,4c,66,67,72,ba,b0,1a,94,55,e9,e3,58,7d,45,\

"?祥"=hex:19,3c,84,c5,24,52,dd,2b,e5,7b,5e,f4,e3,b2,65,18

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:9e,11,bc,0f,c1,3b,25,56,cb,57,2c,91,c4,5c,53,52,56,4d,2f,42,83,

01,d6,96,dd,55,fe,e4,59,07,61,f8,70,6f,ea,df,e0,87,48,da,c1,31,37,39,7f,5b,\

"rkeysecu"=hex:d0,3d,a8,04,05,f6,b6,6e,4a,da,2a,eb,88,43,cd,b2

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2180)

c:\program files\Pure Networks\Network Magic\nmrsrc.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\nexon\Mabinogi\npkcmsvc.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Pure Networks\Network Magic\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-08-28 15:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 22:05

ComboFix2.txt 2009-08-06 17:38

Pre-Run: 1,960,206,336 bytes free

Post-Run: 2,276,487,168 bytes free

292 --- E O F --- 2008-12-13 18:13

Link to post
Share on other sites

Information

IMPORTANT

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

FrostWire

BitTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs

Please note: you must NOT use any P2P whilst we are cleaning your machine.

Disable Teatimer

We need to disable Teatimer as it may interfere with the cleaning.

Please do not re-enable it until I give instructions.

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click TTWipe.bat
  • Reboot your machine for the changes to take effect.

----------------------------------------------------------------------------------------

Step 1

Please do the following

Download this file Inherit.exe

Drag each of the exe files that you are unable to run onto Inherit.exe.

Then wait for it to say "OK"

----------------------------------------------------------------------------------------

Step 2

Custom CFScript

[*] Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://www.malwarebytes.org/forums/index.php?showtopic=22730

Collect::

c:\windows\svhost\setup.exe

c:\windows\svhost\software.exe

Dir::

c:\windows\svhost

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"=-

"SpybotSD TeaTimer"=-

Driver::

Viewpoint Manager Service

Regnull::

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\q0

Link to post
Share on other sites

For the Disable TeaTimer part, I am able to uncheck resident protection in the system tray but am unable to open Spybot S&D due to the permission error. Should I uninstall Spybot S&D and its functions if it interferes?

Don't worry, just do as much as you can and then continue with the other instructions.

Link to post
Share on other sites

I don't see any problems with my computer now; things run smoothly.

Combofix Log

c:\windows\svhost\software.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE

-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-29 )))))))))))))))))))))))))))))))

.

2009-08-26 21:15 . 2009-08-26 21:15 -------- d-----w- c:\program files\Apple Pie

2009-08-26 20:58 . 2009-08-26 20:58 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-26 20:08 . 2009-08-26 20:57 -------- d-----w- c:\documents and settings\Owen\.housecall6.6

2009-08-26 19:04 . 2009-08-27 02:03 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-08-26 19:04 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 5.0 DIAMOND

2009-08-26 10:27 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND(2)

2009-08-26 07:26 . 2009-08-26 20:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-26 07:26 . 2009-08-26 07:26 -------- d-----w- c:\documents and settings\Owen\Application Data\SUPERAntiSpyware.com

2009-08-26 07:22 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-08-26 07:22 . 2009-08-26 07:22 -------- d-----w- c:\program files\Panda Security

2009-08-26 02:40 . 2009-08-29 21:56 -------- d-----w- c:\windows\svhost

2009-08-25 01:19 . 2009-08-27 02:33 -------- d-----w- C:\vcs5BGEffects

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\vcs5core

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\AV_LOGS

2009-08-24 07:24 . 2009-08-24 07:25 -------- d-----w- c:\documents and settings\Owen\Application Data\Ventrilo

2009-08-24 07:22 . 2009-08-24 07:22 -------- d-----w- c:\program files\Ventrilo

2009-08-16 19:42 . 2009-08-16 19:42 -------- d-----w- c:\program files\THQICE

2009-08-16 17:58 . 2009-08-16 17:58 -------- d-----w- c:\program files\CiB Net Station

2009-08-11 19:38 . 2009-08-11 19:38 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe

2009-08-11 19:09 . 2009-08-11 20:09 -------- d-----w- c:\program files\Jade Empire

2009-08-11 01:05 . 2009-08-16 19:35 -------- d-----w- c:\program files\Activision

2009-08-06 18:13 . 2009-08-06 18:13 -------- d-----w- c:\program files\FLV Player

2009-08-06 17:21 . 2009-08-06 17:38 -------- d-s---w- C:\Combo-Fix

2009-08-06 17:01 . 2009-08-06 17:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-06 17:00 . 2009-08-06 17:00 152576 ----a-w- c:\documents and settings\Owen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-06 01:21 . 2009-08-06 01:21 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-06 01:17 . 2009-08-06 08:31 -------- d-----w- c:\program files\Common Files\Real

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Real

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 21:59 . 2008-07-03 19:19 -------- d-----w- c:\program files\Steam

2009-08-29 21:57 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\DNA

2009-08-29 21:46 . 2009-03-22 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-29 21:39 . 2008-09-10 22:07 -------- d-----w- c:\program files\DNA

2009-08-29 19:34 . 2009-03-22 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-26 19:58 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\BitTorrent

2009-08-26 19:21 . 2009-02-12 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 19:09 . 2008-06-26 23:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-26 05:24 . 2008-09-20 00:08 -------- d-----w- c:\documents and settings\Owen\Application Data\GetRightToGo

2009-08-16 19:35 . 2008-06-26 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-14 00:38 . 2008-07-01 00:36 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

2009-08-14 00:38 . 2008-07-01 00:36 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll

2009-08-14 00:38 . 2008-07-01 00:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll

2009-08-14 00:38 . 2008-07-01 00:36 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll

2009-08-14 00:38 . 2008-07-01 00:36 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll

2009-08-14 00:38 . 2008-07-01 00:36 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe

2009-08-14 00:19 . 2008-12-21 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-08-06 17:00 . 2008-07-10 03:07 -------- d-----w- c:\program files\Java

2009-08-06 01:25 . 2009-05-07 01:03 -------- d-----w- c:\program files\Persona

2009-08-06 01:17 . 2008-07-14 02:24 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-08-06 01:17 . 2003-08-28 11:43 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-08-05 03:21 . 2008-10-12 04:07 -------- d-----w- c:\program files\PeerGuardian2

2009-08-03 20:36 . 2009-02-12 04:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-02-12 04:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-28 07:54 . 2009-07-28 07:54 -------- d-----w- c:\documents and settings\Owen\Application Data\RenPy

2009-07-25 00:52 . 2009-07-25 00:52 -------- d-----w- c:\documents and settings\Owen\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1

2009-07-24 22:05 . 2009-07-24 22:05 56 --sh--r- c:\windows\system32\787CE2ABF3.sys

2009-07-24 22:05 . 2009-07-24 22:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-07-24 15:26 . 2009-07-24 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-24 15:25 . 2008-07-19 19:55 38208 ----a-w- c:\documents and settings\Owen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-20 07:17 . 2009-07-20 07:17 -------- d-----w- c:\program files\Eushully

2009-07-13 03:39 . 2009-07-13 03:39 -------- d-----w- c:\program files\Enterbrain

2009-07-13 03:38 . 2009-07-13 03:38 -------- d-----w- c:\program files\Common Files\Enterbrain

2009-07-02 00:59 . 2009-07-02 00:59 -------- d-----w- c:\program files\ASCII

2009-06-27 18:55 . 2009-06-05 08:01 25 ----a-w- c:\windows\popcinfot.dat

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_4FD69CC5689BDA0580DB6A.exe

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_21F066876BD0F768612CBC.exe

2009-05-31 14:25 . 2009-05-31 13:03 19104 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-05-31 14:25 . 2009-05-31 13:03 105632 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-05-31 13:51 . 2009-05-31 13:03 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-05-31 13:03 . 2009-05-31 13:03 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

------- Sigcheck -------

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll

[-] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\eventlog.dll

[7] 2004-08-04 08:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-06_17.36.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-29 21:59 . 2009-08-29 21:59 16384 c:\windows\temp\Perflib_Perfdata_900.dat

+ 2009-08-29 21:59 . 2009-08-29 21:59 16384 c:\windows\temp\Perflib_Perfdata_65c.dat

+ 2004-08-04 08:56 . 2004-08-04 08:56 55808 c:\windows\system32\logevent.dll

+ 2009-08-26 07:11 . 2009-08-26 20:58 149092 c:\windows\system32\Restore\rstrlog.dat

+ 2009-08-25 11:12 . 2009-08-25 11:12 253952 c:\windows\system32\config\systemprofile\ntuser.dat

+ 2009-08-24 07:22 . 2009-08-24 07:22 683520 c:\windows\Installer\5a870242.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2009-06-12 1217784]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-05 307200]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-26 16264192]

c:\documents and settings\Owen\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-17 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Steam\\SteamApps\\owenlin0\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56252:TCP"= 56252:TCP:Pando Media Booster

"56252:UDP"= 56252:UDP:Pando Media Booster

"<NO NAME>"=

"57268:TCP"= 57268:TCP:Pando Media Booster

"57268:UDP"= 57268:UDP:Pando Media Booster

"56110:TCP"= 56110:TCP:Pando Media Booster

"56110:UDP"= 56110:UDP:Pando Media Booster

"8395:TCP"= 8395:TCP:League of Legends Launcher

"8395:UDP"= 8395:UDP:League of Legends Launcher

"8396:TCP"= 8396:TCP:League of Legends Launcher

"8396:UDP"= 8396:UDP:League of Legends Launcher

"8397:TCP"= 8397:TCP:League of Legends Launcher

"8397:UDP"= 8397:UDP:League of Legends Launcher

"8398:TCP"= 8398:TCP:League of Legends Launcher

"8398:UDP"= 8398:UDP:League of Legends Launcher

"8399:TCP"= 8399:TCP:League of Legends Launcher

"8399:UDP"= 8399:UDP:League of Legends Launcher

"57618:TCP"= 57618:TCP:Pando Media Booster

"57618:UDP"= 57618:UDP:Pando Media Booster

S3 cpuz130;cpuz130;\??\c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

S3 HookProtect;HookProtect;\??\c:\steps\element\HookProtect.sys --> c:\steps\element\HookProtect.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007/11/06 13:22 34064]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]

S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys --> c:\windows\system32\XDva215.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-03 02:35]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

FF - ProfilePath - c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMXENG.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.notify.interval - 600000

FF - user.js: content.switch.threshold - 1000000

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: browser.sessionstore.resume_from_crash - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 14:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\q0・`0`0・q0\T嶐l\sYM0・・h0U0・・F*E*]

"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"?慴"=hex:a9,93,2a,e4,5d,a6,c2,59,0d,a5,5c,65,4c,2e,e2,bb,72,57,ae,d5,96,03,68,

82,07,48,1f,77,f3,2a,47,6f,0c,87,4c,66,67,72,ba,b0,1a,94,55,e9,e3,58,7d,45,\

"?祥"=hex:19,3c,84,c5,24,52,dd,2b,e5,7b,5e,f4,e3,b2,65,18

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:9e,11,bc,0f,c1,3b,25,56,cb,57,2c,91,c4,5c,53,52,56,4d,2f,42,83,

01,d6,96,dd,55,fe,e4,59,07,61,f8,70,6f,ea,df,e0,87,48,da,c1,31,37,39,7f,5b,\

"rkeysecu"=hex:d0,3d,a8,04,05,f6,b6,6e,4a,da,2a,eb,88,43,cd,b2

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(948)

c:\program files\Pure Networks\Network Magic\nmrsrc.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\nexon\Mabinogi\npkcmsvc.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Pure Networks\Network Magic\nmsrvc.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2009-08-29 15:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-29 22:05

ComboFix2.txt 2009-08-28 22:05

ComboFix3.txt 2009-08-06 17:38

Pre-Run: 2,257,719,296 bytes free

Post-Run: 2,169,499,648 bytes free

291 --- E O F --- 2008-12-13 18:13

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes Log

Malwarebytes' Anti-Malware 1.40

Database version: 2713

Windows 5.1.2600 Service Pack 2

2009/08/29 16:25:33

mbam-log-2009-08-29 (16-25-33).txt

Scan type: Full Scan (C:\|)

Objects scanned: 237101

Time elapsed: 1 hour(s), 13 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{8223BE1E-A961-472C-A357-87FE7DC86914}\RP493\A0046418.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites

RSIT "log"

Logfile of random's system information tool 1.06 (written by random/random)

Run by Owen at 2009-08-29 16:30:46

Microsoft Windows XP Professional Service Pack 2

System drive C: has 2 GB (2%) free of 114 GB

Total RAM: 2046 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:30:51, on 2009/08/29

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Nexon\Mabinogi\npkcmsvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Owen\Desktop\RSIT.exe

C:\Program Files\trend micro\Owen.exe

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://ll.g.gametap.com/static/cab_headles...pWebUpdater.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe

O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 8850 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]

AOLSearchHook Class - C:\Program Files\AIM Search\AOLSearch.dll [2008-10-21 111400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]

Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-12 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]

AIM Toolbar Loader - C:\Program Files\AIM Toolbar\aimtb.dll [2009-05-06 1279272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]

SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-10-14 863688]

{61539ecd-cc67-4437-a03c-9aaccbd14326} - AIM Toolbar - C:\Program Files\AIM Toolbar\aimtb.dll [2009-05-06 1279272]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]

"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]

"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]

"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-06-26 16264192]

"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]

"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-06-02 267048]

"EPSON Stylus Photo R320 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE [2004-04-26 98304]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

"nmapp"=C:\Program Files\Pure Networks\Network Magic\nmapp.exe [2007-03-14 321088]

"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2008-01-20 217088]

"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-25 61440]

"ATICustomerCare"=C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe [2007-10-04 307200]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Steam"=C:\Program Files\Steam\Steam.exe [2009-06-12 1217784]

"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

"Aim6"=C:\Program Files\AIM6\aim6.exe [2009-05-18 49968]

"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2006-09-10 218032]

"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]

"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-15 342848]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\Owen\Start Menu\Programs\Startup

MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"

"C:\Program Files\Steam\SteamApps\owenlin0\team fortress 2\hl2.exe"="C:\Program Files\Steam\SteamApps\owenlin0\team fortress 2\hl2.exe:*:Enabled:hl2"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire"

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

"C:\Program Files\alaplaya\S4League\S4Client.exe"="C:\Program Files\alaplaya\S4League\S4Client.exe:*:Enabled:Project S4 Client.exe"

"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"

"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"

"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services"

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application"

"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"

"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"

"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"

"C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services"

"C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application"

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services"

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe"="C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application"

"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"

======List of files/folders created in the last 1 months======

2009-08-29 16:30:46 ----D---- C:\rsit

2009-08-29 16:30:46 ----D---- C:\Program Files\trend micro

2009-08-29 15:05:17 ----A---- C:\ComboFix.txt

2009-08-29 14:56:55 ----D---- C:\WINDOWS\temp

2009-08-29 14:48:22 ----A---- C:\WINDOWS\zip.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\SWXCACLS.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\SWSC.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\SWREG.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\sed.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\PEV.exe

2009-08-29 14:48:22 ----A---- C:\WINDOWS\grep.exe

2009-08-28 14:40:25 ----A---- C:\avenger log.txt

2009-08-26 14:15:48 ----D---- C:\Program Files\Apple Pie

2009-08-26 12:04:31 ----D---- C:\Program Files\AV Vcs 6.0 DIAMOND

2009-08-26 12:04:26 ----D---- C:\Program Files\AV Vcs 5.0 DIAMOND

2009-08-26 11:26:11 ----SHD---- C:\Config.Msi

2009-08-26 03:27:37 ----D---- C:\Program Files\AV Vcs 6.0 DIAMOND(2)

2009-08-26 00:26:29 ----D---- C:\Program Files\SUPERAntiSpyware

2009-08-26 00:26:29 ----D---- C:\Documents and Settings\Owen\Application Data\SUPERAntiSpyware.com

2009-08-26 00:22:25 ----D---- C:\Program Files\Panda Security

2009-08-25 19:40:37 ----D---- C:\WINDOWS\svhost

2009-08-24 18:19:07 ----D---- C:\vcs5BGEffects

2009-08-24 18:19:04 ----D---- C:\vcs5core

2009-08-24 18:19:04 ----D---- C:\AV_LOGS

2009-08-24 00:24:06 ----D---- C:\Documents and Settings\Owen\Application Data\Ventrilo

2009-08-24 00:22:31 ----D---- C:\Program Files\Ventrilo

2009-08-24 00:22:29 ----A---- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

2009-08-16 12:42:21 ----D---- C:\Program Files\THQICE

2009-08-16 10:58:41 ----D---- C:\Program Files\CiB Net Station

2009-08-11 12:38:04 ----A---- C:\WINDOWS\Uninstall Jade Empire.exe

2009-08-11 12:09:56 ----D---- C:\Program Files\Jade Empire

2009-08-10 18:05:30 ----D---- C:\Program Files\Activision

2009-08-06 11:13:11 ----D---- C:\Program Files\FLV Player

2009-08-06 10:21:30 ----A---- C:\WINDOWS\NIRCMD.exe

2009-08-06 10:21:16 ----SD---- C:\Combo-Fix

2009-08-06 10:20:37 ----D---- C:\WINDOWS\ERDNT

2009-08-06 10:20:22 ----AD---- C:\Qoobox

2009-08-06 10:01:12 ----A---- C:\WINDOWS\system32\javaws.exe

2009-08-06 10:01:12 ----A---- C:\WINDOWS\system32\javaw.exe

2009-08-06 10:01:12 ----A---- C:\WINDOWS\system32\java.exe

2009-08-06 10:01:12 ----A---- C:\WINDOWS\system32\deploytk.dll

2009-08-05 18:17:25 ----D---- C:\Program Files\Common Files\xing shared

2009-08-05 18:17:08 ----D---- C:\Program Files\Real

2009-08-05 18:17:08 ----D---- C:\Program Files\Common Files\Real

======List of files/folders modified in the last 1 months======

2009-08-29 16:30:46 ----RD---- C:\Program Files

2009-08-29 16:29:17 ----D---- C:\Program Files\Mozilla Firefox

2009-08-29 16:28:36 ----D---- C:\Program Files\Steam

2009-08-29 16:28:35 ----D---- C:\Program Files\DNA

2009-08-29 16:28:35 ----D---- C:\Documents and Settings\Owen\Application Data\DNA

2009-08-29 16:27:59 ----D---- C:\WINDOWS\system32\drivers

2009-08-29 16:27:17 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-08-29 15:05:19 ----D---- C:\WINDOWS\system32

2009-08-29 15:04:16 ----D---- C:\WINDOWS\system32\CatRoot2

2009-08-29 14:59:44 ----D---- C:\WINDOWS

2009-08-29 14:59:44 ----A---- C:\WINDOWS\system.ini

2009-08-29 14:57:13 ----D---- C:\WINDOWS\system32\config

2009-08-29 14:54:11 ----D---- C:\WINDOWS\AppPatch

2009-08-29 14:53:53 ----D---- C:\Program Files\Common Files

2009-08-29 14:46:18 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-29 12:34:33 ----D---- C:\Program Files\Spybot - Search & Destroy

2009-08-29 12:30:17 ----D---- C:\WINDOWS\Prefetch

2009-08-28 15:04:54 ----SD---- C:\WINDOWS\Tasks

2009-08-28 14:57:06 ----SHD---- C:\WINDOWS\Installer

2009-08-28 14:46:36 ----D---- C:\WINDOWS\system32\xircom

2009-08-28 14:46:36 ----D---- C:\WINDOWS\system32\wins

2009-08-28 14:46:36 ----D---- C:\WINDOWS\system32\Temp

2009-08-28 14:46:36 ----D---- C:\WINDOWS\system32\ShellExt

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\Lang

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\inetsrv

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\export

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\dhcp

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\CatRoot_bak

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\3com_dmi

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\3076

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\2052

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1054

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1042

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1041

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1037

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1031

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1028

2009-08-28 14:46:35 ----D---- C:\WINDOWS\system32\1025

2009-08-28 14:44:00 ----HD---- C:\WINDOWS\msdownld.tmp

2009-08-28 14:43:52 ----SHD---- C:\WINDOWS\ftpcache

2009-08-28 14:43:50 ----D---- C:\WINDOWS\Connection Wizard

2009-08-28 14:43:50 ----D---- C:\WINDOWS\Config

2009-08-28 14:43:48 ----D---- C:\WINDOWS\addins

2009-08-26 13:58:21 ----D---- C:\WINDOWS\system32\wbem

2009-08-26 13:58:20 ----D---- C:\WINDOWS\Registration

2009-08-26 12:58:08 ----D---- C:\Documents and Settings\Owen\Application Data\BitTorrent

2009-08-26 12:21:12 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-08-26 12:09:33 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2009-08-26 00:22:38 ----HD---- C:\WINDOWS\inf

2009-08-26 00:11:54 ----D---- C:\WINDOWS\system32\Restore

2009-08-25 22:24:57 ----D---- C:\Documents and Settings\Owen\Application Data\GetRightToGo

2009-08-24 23:54:22 ----D---- C:\WINDOWS\Help

2009-08-22 04:16:47 ----A---- C:\WINDOWS\NeroDigital.ini

2009-08-18 16:36:30 ----A---- C:\WINDOWS\kgt2k.INI

2009-08-16 12:35:43 ----HD---- C:\Program Files\InstallShield Installation Information

2009-08-16 11:15:10 ----SD---- C:\Documents and Settings\Owen\Application Data\Microsoft

2009-08-13 18:38:14 ----D---- C:\Nexon

2009-08-13 17:19:48 ----D---- C:\Documents and Settings\All Users\Application Data\PMB Files

2009-08-06 10:37:19 ----RSHDC---- C:\WINDOWS\system32\dllcache

2009-08-06 10:35:38 ----SD---- C:\WINDOWS\Downloaded Program Files

2009-08-06 10:00:23 ----D---- C:\Program Files\Java

2009-08-06 01:31:26 ----D---- C:\Documents and Settings\Owen\Application Data\Real

2009-08-05 18:25:14 ----D---- C:\Program Files\Persona

2009-08-05 18:17:10 ----A---- C:\WINDOWS\system32\msvcr71.dll

2009-08-05 18:17:10 ----A---- C:\WINDOWS\system32\msvcp71.dll

2009-08-04 20:21:04 ----D---- C:\Program Files\PeerGuardian2

2009-07-31 20:15:52 ----D---- C:\David

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2002-08-29 12160]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]

R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-01-20 33292]

R2 pnarp;Network Magic Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2007-03-23 25792]

R2 purendis;Network Magic Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2007-03-23 26944]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]

R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]

R3 ATIAVAIW;ATI T200 Unified AVStream service; C:\WINDOWS\system32\DRIVERS\atinavt2.sys [2009-02-03 170496]

R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2002-08-29 9600]

R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-06-26 4381184]

R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2002-08-29 12160]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]

R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-03 34176]

R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-03 13056]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]

S2 npkcrypt;npkcrypt; \??\C:\Nexon\Mabinogi\npkcrypt.sys []

S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-03 48128]

S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-03 38912]

S3 awck15e1;awck15e1; C:\WINDOWS\system32\drivers\awck15e1.sys []

S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []

S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]

S3 cpuz130;cpuz130; \??\C:\DOCUME~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []

S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []

S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []

S3 HookProtect;HookProtect; \??\C:\STEPS\element\HookProtect.sys []

S3 MPE;BDA MPE Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2004-08-03 15360]

S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-03 51328]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]

S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]

S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]

S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]

S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]

S3 npkcusb;npkcusb; \??\C:\Nexon\Mabinogi\npkcusb.sys []

S3 Ser2pl;Prolific2 Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2005-07-25 48640]

S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]

S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]

S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-02-18 30464]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]

S3 XDva189;XDva189; \??\C:\WINDOWS\system32\XDva189.sys []

S3 XDva208;XDva208; \??\C:\WINDOWS\system32\XDva208.sys []

S3 XDva215;XDva215; \??\C:\WINDOWS\system32\XDva215.sys []

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-25 602112]

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-06 153376]

R2 nmservice;Pure Networks Network Magic Service; C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe [2007-03-14 321088]

R2 npkcmsvc;npkcmsvc; C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 80528]

R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-11-14 66872]

R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-02-26 49152]

R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-06-02 504104]

S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-02-25 593920]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-01-14 655624]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]

S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []

S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]

S3 nmraapache;Pure Networks Net2Go Service; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [2007-03-14 12800]

S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-04-19 2784285]

S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]

S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

++++++++++++++++++++++++++++++++++++++++++++++++

RSIT "info"

info.txt logfile of random's system information tool 1.06 2009-08-29 16:30:53

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

-->MsiExec /X{27DC856A-0916-4988-8198-8714DDD3183D}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"

Acrobat.com-->msiexec /qb /x {77DCDCE3-2DED-62F3-8154-05E745472D07}

Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}

Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall

Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}

AGEIA PhysX v7.05.17-->MsiExec.exe /X{27DC856A-0916-4988-8198-8714DDD3183D}

AIM 6-->C:\Program Files\AIM6\uninst.exe

AIM Search-->C:\Program Files\AIM Search\uninstaller.exe AIM Search

AIM Toolbar-->"C:\Program Files\AIM Toolbar\uninstall.exe"

Any Video Converter 2.6.5-->"C:\Program Files\Any Video Converter\unins000.exe"

Apple Mobile Device Support-->MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}

Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x6946

ATI Catalyst Registration-->MsiExec.exe /X{72736F5F-520D-472A-88CC-7B02872FD34E}

ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"

AV Voice Changer Software DIAMOND 6.0-->C:\PROGRA~1\AVVCS6~2.0D~\UNWISE.EXE C:\PROGRA~1\AVVCS6~2.0D~\INSTALL.LOG

AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"

Blaze Media Pro-->"C:\Documents and Settings\All Users\Application Data\{17A03471-20EB-4604-8E72-66EF7398750D}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE

Blaze Media Pro-->C:\Documents and Settings\All Users\Application Data\{17A03471-20EB-4604-8E72-66EF7398750D}\setup_blazemp.exe

Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}

Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}

Combined Community Codec Pack 2008-09-21 16:18-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"

DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe

Debut Video Capture Software-->C:\Program Files\NCH Software\Debut\uninst.exe

Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe

Dragonica Online - Open Beta Test-->"C:\Program Files\THQICE\Dragonica Online - Open Beta Test\unins000.exe"

dvdSanta 4.50-->"C:\Program Files\dvdSanta\unins000.exe"

EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R

Finale NotePad 2008-->C:\Program Files\Finale NotePad 2008\uninstallNP.exe

FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe

Fraps-->"C:\Fraps\uninstall.exe"

FrostWire 4.13.5-->C:\Program Files\FrostWire\Uninstall.exe

Futuremark SystemInfo-->"C:\Program Files\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe" -runfromtemp -l0x0009 -removeonly

Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"

High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"

iTunes-->MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}

Jade Empire-->C:\WINDOWS\Uninstall Jade Empire.exe

Java 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}

Java 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

jZip-->C:\PROGRA~1\jZip\UNWISE.EXE /U C:\PROGRA~1\jZip\INSTALL.LOG

K-Lite Mega Codec Pack 3.6.5-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"

Lightning Warrior Raidy-->C:\WINDOWS\unvise32.exe C:\Program Files\G-Collections\uninstal.log

Magic DVD Ripper V4.2.4-->"C:\Program Files\MagicDVDRipper\unins000.exe"

Magic ISO Maker v5.4 (build 0247)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG

MagicDisc 2.7.105-->C:\PROGRA~1\MAGICD~2\UNWISE.EXE C:\PROGRA~1\MAGICD~2\INSTALL.LOG

Malwarebytes' Anti-Malware-->"C:\Program Files\Apple Pie\unins000.exe"

Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}

Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}

Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe

Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}

Microsoft AppLocale-->MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7}

Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}

Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}

Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}

Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Windows Application Compatibility Database-->C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb"

Microsoft Windows Media Video 9 VCM-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmv9vcm.inf, Uninstall

Mozilla Firefox (3.0)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MPlugin-->"C:\Program Files\InstallShield Installation Information\{6102D63A-9387-4FC8-98E4-181121F8C0BA}\setup.exe" -runfromtemp -l0x0009 -removeonly

MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}

Nero 6 Demo-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

Network Magic-->MsiExec.exe /X{D5773BFA-5967-4A1C-AD0F-FFFD0D13FC36}

NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI

Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe

PeerGuardian 2.0-->"C:\Program Files\PeerGuardian2\unins000.exe"

PL-2303 USB-to-Serial-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed

Power Tab Editor 1.7-->MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}

PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"

QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}

Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly

RGSS-RTP Standard-->"C:\Program Files\Common Files\Enterbrain\RGSS\Standard\unins000.exe"

RGSS-RTP Standard-->MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}

Rosetta Stone V3-->MsiExec.exe /X{7210BCFE-ED8D-4261-8537-81B5A4BDFA2A}

Rosetta Stone Version 3-->MsiExec.exe /X{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}

RPGXP-->MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}

RPGツクール2000 ランタイムパッケージ-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{33F7A957-A66D-45A1-BADF-6576083B14E2}\setup.exe"

S4 League-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D99223D4-1F48-47BD-ADFD-D43C91CDFD00}\setup.exe" -l0x9

Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"

Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"

Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"

Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"

Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"

Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"

Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"

Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"

Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"

Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"

Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"

Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"

Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"

Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"

Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"

Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"

Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"

Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"

Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"

Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"

Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"

Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"

Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"

Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"

Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"

Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"

Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"

Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"

Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

SmartSound Quicktracks Plugin-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}

Sonocaddie-->MsiExec.exe /I{B79AA6EB-103F-4426-8BD2-2BD18F75F1B0}

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}

System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe

TuneUp Utilities 2007-->MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}

Ulead VideoStudio 8.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9

Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"

Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"

Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"

Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"

Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"

Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"

Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"

Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"

Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"

Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"

Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"

Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"

Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"

Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

UTAU 歌声合成ツール-->MsiExec.exe /I{F1757132-F436-4FCB-8A4A-3438CE333A7D}

Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}

Video Capture USB-->MsiExec.exe /I{D5D52242-0767-4A6E-8A8A-B5CB8015E9BF}

VideoPad Video Editor-->C:\Program Files\NCH Software\VideoPad\uninst.exe

Videora iPod Converter 4.02-->C:\Program Files\Red Kawa\Video Converter App\uninstaller.exe

Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u

WebEx-->C:\PROGRA~1\MOZILL~1\plugins\atcliun.exe

WinAce Archiver 2.0-->C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI

Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (03/23/2007 4.1.7082.0)-->rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pnarp_5F686DCD97D2EA9F74BD89FAA7E73B89CD47B120\pnarp.inf

Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (03/23/2007 4.1.7082.0)-->rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\purendis_9DF8D460DEEF667AF7B1AA85404140673EC025C2\purendis.inf

Windows Driver Package - Roxio Technology (USB28xxBGA) Media (11/14/2008 5.8.0912.1114)-->C:\PROGRA~1\DIFX\270581355A767BF1\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\embda_1A7788FE663BC9769EC470AD8D57DE8E85CC69FB\embda.inf

Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"

Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"

Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe

Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe

Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe

Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe

Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe

Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe

Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"

Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe

Wireshark 1.0.8-->"C:\Program Files\Wireshark\uninstall.exe"

Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S

Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL

Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll

Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

YouTube Downloader App 1.01-->C:\Program Files\Red Kawa\Downloader App\uninstaller.exe

ヒロインズナイトメア 1plus2-->MsiExec.exe /I{B28A7A3C-49AD-43C2-AE92-0278B34931D8}

======System event log======

Computer Name: CENTURION

Event Code: 10010

Message: The server {601AC3DC-786A-4EB0-BF40-EE3521E70BFB} did not register with DCOM within the required timeout.

Record Number: 59

Source Name: DCOM

Time Written: 20090826021135.000000-420

Event Type: error

User: CENTURION\Owen

Computer Name: CENTURION

Event Code: 4226

Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 48

Source Name: Tcpip

Time Written: 20090826002556.000000-420

Event Type: warning

User:

Computer Name: CENTURION

Event Code: 7000

Message: The npkcrypt service failed to start due to the following error:

The system cannot find the file specified.

Record Number: 30

Source Name: Service Control Manager

Time Written: 20090826001427.000000-420

Event Type: error

User:

Computer Name: CENTURION

Event Code: 7000

Message: The npkcrypt service failed to start due to the following error:

The system cannot find the file specified.

Record Number: 9

Source Name: Service Control Manager

Time Written: 20090825233530.000000-420

Event Type: error

User:

Computer Name: CENTURION

Event Code: 7034

Message: The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Record Number: 2

Source Name: Service Control Manager

Time Written: 20090825222149.000000-420

Event Type: error

User:

=====Application event log=====

Computer Name: CENTURION

Event Code: 1000

Message: Faulting application teatimer.exe, version 1.6.4.26, faulting module teatimer.exe, version 1.6.4.26, fault address 0x0006e60e.

Record Number: 44

Source Name: Application Error

Time Written: 20090627095234.000000-420

Event Type: error

User:

Computer Name: CENTURION

Event Code: 1517

Message: Windows saved user CENTURION\Owen registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 37

Source Name: Userenv

Time Written: 20090627085620.000000-420

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: CENTURION

Event Code: 1002

Message: Hanging application mplayerc.exe, version 6.4.9.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 16

Source Name: Application Hang

Time Written: 20090624172702.000000-420

Event Type: error

User:

Computer Name: CENTURION

Event Code: 1000

Message: Faulting application roa03tg0.exe, version 1.0.2.0, faulting module roa03tg0.exe, version 1.0.2.0, fault address 0x000132ab.

Record Number: 13

Source Name: Application Error

Time Written: 20090612125717.000000-420

Event Type: error

User:

Computer Name: CENTURION

Event Code: 1002

Message: Hanging application winace.exe, version 2.2.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 12

Source Name: Application Hang

Time Written: 20090612113401.000000-420

Event Type: error

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;C:\Program Files\jZip;C:\Program Files\Common Files\Ulead Systems\MPEG

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=15

"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 0, AuthenticAMD

"PROCESSOR_REVISION"=2f00

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

Link to post
Share on other sites

----------------------------------------------------------------------------------------

Step 1

Custom CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    FCopy::
    c:\windows\system32\dllcache\eventlog.dll|c:\windows\system32\eventlog.dll
    DirLook::
    c:\windows\svhost
    ADS::


  • Save this as CFScript.txt and place it on your desktop.
    CFScriptb.gif
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------------------------------------

Step 2

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • Combofix Log
  • Kaspersky Log

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

Additional Notes

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.

If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language

    [*]Check the box that says: "Accept License Agreement".

    [*]The page will refresh.

    [*]Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded

(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

Link to post
Share on other sites

Combofix Log

ComboFix 09-08-31.03 - Owen 2009/08/31 16:11.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.2046.1496 [GMT -7:00]

Running from: c:\documents and settings\Owen\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owen\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\system32\dllcache\eventlog.dll --> c:\windows\system32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-29 23:30 . 2009-08-29 23:30 -------- d-----w- C:\rsit

2009-08-29 23:30 . 2009-08-29 23:30 -------- d-----w- c:\program files\trend micro

2009-08-26 21:15 . 2009-08-26 21:15 -------- d-----w- c:\program files\Apple Pie

2009-08-26 20:58 . 2009-08-26 20:58 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-26 20:08 . 2009-08-26 20:57 -------- d-----w- c:\documents and settings\Owen\.housecall6.6

2009-08-26 19:04 . 2009-08-27 02:03 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-08-26 19:04 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 5.0 DIAMOND

2009-08-26 10:27 . 2009-08-26 19:04 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND(2)

2009-08-26 07:26 . 2009-08-26 20:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-26 07:26 . 2009-08-26 07:26 -------- d-----w- c:\documents and settings\Owen\Application Data\SUPERAntiSpyware.com

2009-08-26 07:22 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-08-26 07:22 . 2009-08-26 07:22 -------- d-----w- c:\program files\Panda Security

2009-08-26 02:40 . 2009-08-29 21:56 -------- d-----w- c:\windows\svhost

2009-08-25 01:19 . 2009-08-31 04:51 -------- d-----w- C:\vcs5BGEffects

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\vcs5core

2009-08-25 01:19 . 2009-08-25 01:19 -------- d-----w- C:\AV_LOGS

2009-08-24 07:24 . 2009-08-24 07:25 -------- d-----w- c:\documents and settings\Owen\Application Data\Ventrilo

2009-08-24 07:22 . 2009-08-24 07:22 -------- d-----w- c:\program files\Ventrilo

2009-08-16 19:42 . 2009-08-16 19:42 -------- d-----w- c:\program files\THQICE

2009-08-16 17:58 . 2009-08-16 17:58 -------- d-----w- c:\program files\CiB Net Station

2009-08-11 19:38 . 2009-08-11 19:38 82774 ----a-w- c:\windows\Uninstall Jade Empire.exe

2009-08-11 19:09 . 2009-08-11 20:09 -------- d-----w- c:\program files\Jade Empire

2009-08-11 01:05 . 2009-08-16 19:35 -------- d-----w- c:\program files\Activision

2009-08-06 18:13 . 2009-08-06 18:13 -------- d-----w- c:\program files\FLV Player

2009-08-06 17:21 . 2009-08-06 17:38 -------- d-s---w- C:\Combo-Fix

2009-08-06 17:01 . 2009-08-06 17:00 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-06 17:00 . 2009-08-06 17:00 152576 ----a-w- c:\documents and settings\Owen\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-06 01:21 . 2009-08-06 01:21 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-06 01:17 . 2009-08-06 08:31 -------- d-----w- c:\program files\Common Files\Real

2009-08-06 01:17 . 2009-08-06 01:17 -------- d-----w- c:\program files\Real

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-31 23:13 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\DNA

2009-08-31 05:00 . 2008-09-10 22:07 -------- d-----w- c:\documents and settings\Owen\Application Data\BitTorrent

2009-08-29 23:28 . 2008-07-03 19:19 -------- d-----w- c:\program files\Steam

2009-08-29 23:28 . 2008-09-10 22:07 -------- d-----w- c:\program files\DNA

2009-08-29 21:46 . 2009-03-22 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-29 19:34 . 2009-03-22 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-26 19:21 . 2009-02-12 04:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 19:09 . 2008-06-26 23:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-26 05:24 . 2008-09-20 00:08 -------- d-----w- c:\documents and settings\Owen\Application Data\GetRightToGo

2009-08-16 19:35 . 2008-06-26 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-14 00:38 . 2008-07-01 00:36 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

2009-08-14 00:38 . 2008-07-01 00:36 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll

2009-08-14 00:38 . 2008-07-01 00:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll

2009-08-14 00:38 . 2008-07-01 00:36 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll

2009-08-14 00:38 . 2008-07-01 00:36 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll

2009-08-14 00:38 . 2008-07-01 00:36 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe

2009-08-14 00:19 . 2008-12-21 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-08-06 17:00 . 2008-07-10 03:07 -------- d-----w- c:\program files\Java

2009-08-06 01:25 . 2009-05-07 01:03 -------- d-----w- c:\program files\Persona

2009-08-06 01:17 . 2008-07-14 02:24 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-08-06 01:17 . 2003-08-28 11:43 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-08-05 03:21 . 2008-10-12 04:07 -------- d-----w- c:\program files\PeerGuardian2

2009-08-03 20:36 . 2009-02-12 04:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 20:36 . 2009-02-12 04:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-28 07:54 . 2009-07-28 07:54 -------- d-----w- c:\documents and settings\Owen\Application Data\RenPy

2009-07-25 00:52 . 2009-07-25 00:52 -------- d-----w- c:\documents and settings\Owen\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1

2009-07-24 22:05 . 2009-07-24 22:05 56 --sh--r- c:\windows\system32\787CE2ABF3.sys

2009-07-24 22:05 . 2009-07-24 22:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-07-24 15:26 . 2009-07-24 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-24 15:25 . 2008-07-19 19:55 38208 ----a-w- c:\documents and settings\Owen\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-20 07:17 . 2009-07-20 07:17 -------- d-----w- c:\program files\Eushully

2009-07-13 03:39 . 2009-07-13 03:39 -------- d-----w- c:\program files\Enterbrain

2009-07-13 03:38 . 2009-07-13 03:38 -------- d-----w- c:\program files\Common Files\Enterbrain

2009-06-27 18:55 . 2009-06-05 08:01 25 ----a-w- c:\windows\popcinfot.dat

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_4FD69CC5689BDA0580DB6A.exe

2009-06-23 01:49 . 2009-06-23 01:49 2238 ----a-r- c:\documents and settings\Owen\Application Data\Microsoft\Installer\{F1757132-F436-4FCB-8A4A-3438CE333A7D}\_21F066876BD0F768612CBC.exe

2009-05-31 14:25 . 2009-05-31 13:03 19104 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-05-31 14:25 . 2009-05-31 13:03 105632 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-05-31 13:51 . 2009-05-31 13:03 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-05-31 13:03 . 2009-05-31 13:03 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\svhost ----

((((((((((((((((((((((((((((( SnapShot@2009-08-06_17.36.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2004-08-04 08:56 . 2004-08-04 08:56 55808 c:\windows\system32\logevent.dll

+ 2009-08-26 07:11 . 2009-08-26 20:58 149092 c:\windows\system32\Restore\rstrlog.dat

+ 2009-08-25 11:12 . 2009-08-25 11:12 253952 c:\windows\system32\config\systemprofile\ntuser.dat

+ 2009-08-24 07:22 . 2009-08-24 07:22 683520 c:\windows\Installer\5a870242.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\Steam.exe" [2009-06-12 1217784]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

"EPSON Stylus Photo R320 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 98304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-05 307200]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-26 16264192]

c:\documents and settings\Owen\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-17 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Steam\\SteamApps\\owenlin0\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"56252:TCP"= 56252:TCP:Pando Media Booster

"56252:UDP"= 56252:UDP:Pando Media Booster

"<NO NAME>"=

"57268:TCP"= 57268:TCP:Pando Media Booster

"57268:UDP"= 57268:UDP:Pando Media Booster

"56110:TCP"= 56110:TCP:Pando Media Booster

"56110:UDP"= 56110:UDP:Pando Media Booster

"8395:TCP"= 8395:TCP:League of Legends Launcher

"8395:UDP"= 8395:UDP:League of Legends Launcher

"8396:TCP"= 8396:TCP:League of Legends Launcher

"8396:UDP"= 8396:UDP:League of Legends Launcher

"8397:TCP"= 8397:TCP:League of Legends Launcher

"8397:UDP"= 8397:UDP:League of Legends Launcher

"8398:TCP"= 8398:TCP:League of Legends Launcher

"8398:UDP"= 8398:UDP:League of Legends Launcher

"8399:TCP"= 8399:TCP:League of Legends Launcher

"8399:UDP"= 8399:UDP:League of Legends Launcher

"57618:TCP"= 57618:TCP:Pando Media Booster

"57618:UDP"= 57618:UDP:Pando Media Booster

S3 cpuz130;cpuz130;\??\c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owen\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

S3 HookProtect;HookProtect;\??\c:\steps\element\HookProtect.sys --> c:\steps\element\HookProtect.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007/11/06 13:22 34064]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]

S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys --> c:\windows\system32\XDva215.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-03 02:35]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://ll.g.gametap.com/static/cab_headless/GameTapWebUpdater.cab

FF - ProfilePath - c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\documents and settings\Owen\Application Data\Mozilla\Firefox\Profiles\hp1d7d8c.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMXENG.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.notify.interval - 600000

FF - user.js: content.switch.threshold - 1000000

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: browser.sessionstore.resume_from_crash - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-31 16:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\q0・`0`0・q0\T嶐l\sYM0・・h0U0・・F*E*]

"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,80,00,

00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"?慴"=hex:a9,93,2a,e4,5d,a6,c2,59,0d,a5,5c,65,4c,2e,e2,bb,72,57,ae,d5,96,03,68,

82,07,48,1f,77,f3,2a,47,6f,0c,87,4c,66,67,72,ba,b0,1a,94,55,e9,e3,58,7d,45,\

"?祥"=hex:19,3c,84,c5,24,52,dd,2b,e5,7b,5e,f4,e3,b2,65,18

[HKEY_USERS\S-1-5-21-299502267-1292428093-682003330-1003\Software\SecuROM\License information*]

"datasecu"=hex:9e,11,bc,0f,c1,3b,25,56,cb,57,2c,91,c4,5c,53,52,56,4d,2f,42,83,

01,d6,96,dd,55,fe,e4,59,07,61,f8,70,6f,ea,df,e0,87,48,da,c1,31,37,39,7f,5b,\

"rkeysecu"=hex:d0,3d,a8,04,05,f6,b6,6e,4a,da,2a,eb,88,43,cd,b2

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3868)

c:\program files\Pure Networks\Network Magic\nmrsrc.dll

.

Completion time: 2009-08-31 16:20

ComboFix-quarantined-files.txt 2009-08-31 23:20

ComboFix2.txt 2009-08-29 22:05

ComboFix3.txt 2009-08-28 22:05

ComboFix4.txt 2009-08-06 17:38

Pre-Run: 1,425,444,864 bytes free

Post-Run: 1,394,647,040 bytes free

267 --- E O F --- 2008-12-13 18:13

+++++++++++++++++++++++++++++++++++++

Kaspersky Scan Report

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, August 31, 2009

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 01, 2009 01:13:20

Records in database: 2732840

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

O:\

Scan statistics:

Objects scanned: 150700

Threats found: 4

Infected objects found: 4

Suspicious objects found: 0

Scan duration: 03:21:07

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruimwmuqiyp.sys.vir Infected: Trojan.Win32.TDSS.aowv 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruicjskbaom.dll.vir Infected: Trojan.Win32.Monder.gen 1

C:\Qoobox\Quarantine\I\resycled\boot.com.vir Infected: Packed.Win32.Tdss.c 1

C:\Qoobox\Quarantine\[4]-Submit_2009-08-29_14.49.10.zip Infected: Trojan-PSW.Win32.Multi.w 1

Selected area has been scanned.

Link to post
Share on other sites

Congratulations your logs look clean :(

Let's see if I can help you keep it that way

First lets tidy up

Recovery Console

!!!!!! Warning !!!!!!.... Your log shows that Recovery Console is not installed.

Due to the threat that current and future malware poses it is vital that you have some form of recovery console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System - (SP3 Users should download the SP2 pack)

Windows XP Home Edition SP2/Windows XP Professional SP2

KB310994.gif

Download the file & save it as its originally named, next to ComboFix.exe.

rc1.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Uninstall Combofix

  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png

OTCleanup

Please download OTCleanup from HERE

Click the OTC.exe icon and then click the CleanUp button.

If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.

Let me know if there were any problems with OT CleanIt

You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners

I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan

http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!

Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

    [*] MalwareBytes Anti-malware <<< A New and effective program

    [*]a-squared Free <<< A good "realtime" or "on demand" scanner

    [*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition

    [*]SpywareBlaster 4.0

    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.

    [*]SpywareGuard 2.2

    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol

    [*]ZonedOut

    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.

    [*]MVPS HOSTS

    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.

      [*]Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential

    [*]Opera

    • Another popular alternative

    [*]Netscape

    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.
    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use

    [*]CCleaner

    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.

If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.

Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :)

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.