Jump to content

How to remove Rootkit.TDSS


h.s

Recommended Posts

Hello!

I believe I have Rootkid.TDSS based on my MBAM logs (included below). I tried removing what came on MBAM the first time today (never used it before - I also changed the folder name), and it asked me to restart my computer. After it restarted, I re-scanned using MBAM. 6 of the 20 files came back again. I did not save the logs from the first scan, but it looks to me like all the other malwares/trojans were removed since they did not come back again.

-HS

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:17:16 PM, on 9/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe

C:\Program Files\MAM\mam.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\applemobiledeviceservice.exe

C:\WINDOWS\TEMP\SAFCDB.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Enigma Software Group\SpyHunter\spyhunter3.exe

C:\Program Files\Safari\safari.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\system32\osk.exe

C:\WINDOWS\system32\MSSWCHX.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.23\RivaTuner.exe" /S

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MAM\mam.exe" /runcleanupscript

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"

O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Documents and Settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\inethttpfilter.dll' missing

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7583 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2813

Windows 5.1.2600 Service Pack 2

9/16/2009 6:27:36 PM

mbam-log-2009-09-16 (18-27-34).txt

Scan type: Full Scan (C:\|)

Objects scanned: 170271

Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Harsh\Local Settings\Temp\UAC3469.tmp (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\Harsh\Local Settings\Temp\UAC3a16.tmp (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Temp\UACd65b.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\UACltltkklyxe.sys (Rootkit.TDSS) -> No action taken.

C:\WINDOWS\system32\UACbwkmotfaka.dat (Rootkit.TDSS) -> No action taken.

C:\WINDOWS\system32\UACturnkoehyi.dll (Rootkit.TDSS) -> No action taken.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I just removed the first 2 files manually. I am a little bit iffy about manually removing the other 4 files since they are located in the Windows folder. The first 2 files do not show up in MBAM anymore (about to restart pc right now so will edit this post with an update right below this after restarting to see if those 2 files come back).

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello. Thanks for responding.

Just so you know, I left Combofix running at like 12pm so if you notice the time-stamp, just keep in mind that I scanned using that earlier. I just got home a little while ago and just ran Hijackthis.

H.S

ComboFix 09-09-16.05 - Harsh 09/17/2009 12:11.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2772 [GMT -4:00]

Running from: c:\documents and settings\Harsh\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus Gaming Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9AC2629D-D77E-4A61-9E41-C3603E4B7582}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Harsh\Application Data\inst.exe

c:\windows\Installer\16b295c.msp

c:\windows\Installer\173a953.msp

c:\windows\Installer\1762213.msp

c:\windows\Installer\1802520.msp

c:\windows\Installer\1802526.msp

c:\windows\Installer\180252c.msp

c:\windows\Installer\1847782.msp

c:\windows\Installer\1847788.msp

c:\windows\Installer\184778e.msp

c:\windows\Installer\18ac6ce.msp

c:\windows\Installer\18ef82b.msp

c:\windows\Installer\18ef831.msp

c:\windows\Installer\18ef837.msp

c:\windows\Installer\196fa66.msp

c:\windows\Installer\196fa6c.msp

c:\windows\Installer\196fa72.msp

c:\windows\Installer\19f312f.msp

c:\windows\Installer\1a226e.msp

c:\windows\Installer\1a2274.msp

c:\windows\Installer\1a227a.msp

c:\windows\Installer\1ae884f.msp

c:\windows\Installer\1b1d372.msp

c:\windows\Installer\1b1d378.msp

c:\windows\Installer\1c6ba95.msp

c:\windows\Installer\2259d53.msp

c:\windows\Installer\2259d59.msp

c:\windows\Installer\23ff93.msp

c:\windows\Installer\23ff99.msp

c:\windows\Installer\2745c88.msp

c:\windows\Installer\2805b55.msp

c:\windows\Installer\29d87f6.msp

c:\windows\Installer\29d87fc.msp

c:\windows\Installer\29d8802.msp

c:\windows\Installer\2b90b6b.msp

c:\windows\Installer\2c4411c.msi

c:\windows\Installer\2c4411d.msp

c:\windows\Installer\2c4411e.msp

c:\windows\Installer\2c4411f.msp

c:\windows\Installer\2c44120.msp

c:\windows\Installer\2c44121.msp

c:\windows\Installer\2c44122.msp

c:\windows\Installer\2c44123.msp

c:\windows\Installer\2c44124.msp

c:\windows\Installer\2c44125.msp

c:\windows\Installer\3417655.msp

c:\windows\Installer\36af9e5.msi

c:\windows\Installer\3758abb.msp

c:\windows\Installer\533b01.msp

c:\windows\Installer\6606a31.msp

c:\windows\Installer\6606a37.msp

c:\windows\Installer\6606a3d.msp

c:\windows\Installer\6785ef1.msp

c:\windows\Installer\97b373.msp

c:\windows\Installer\97b379.msp

c:\windows\Installer\dd1f8b.msp

c:\windows\Installer\dd1f91.msp

c:\windows\Installer\dd1f97.msp

c:\windows\system32\Client.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))

.

2009-09-16 22:32 . 2009-09-16 22:32 -------- dc----w- c:\program files\Enigma Software Group

2009-09-16 20:47 . 2009-09-16 20:47 -------- dc----w- c:\documents and settings\Harsh\Application Data\Malwarebytes

2009-09-16 20:45 . 2009-09-10 18:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 20:45 . 2009-09-16 20:47 -------- dc----w- c:\program files\MAM

2009-09-16 20:45 . 2009-09-10 18:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 00:56 . 2009-05-07 07:04 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-13 00:54 . 2009-09-13 00:54 -------- dc----w- C:\VIRUS

2009-09-13 00:53 . 2009-07-20 16:00 72072 -c--a-w- c:\windows\system32\drivers\tmtdi.sys

2009-09-13 00:53 . 2009-07-20 16:00 335888 -c--a-w- c:\windows\system32\drivers\TM_CFW.sys

2009-09-13 00:22 . 2009-09-13 00:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\AVG8

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\program files\FreeFixer

2009-09-12 23:46 . 2009-09-13 00:33 -------- dc----w- c:\program files\Panda Security

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-12 23:15 . 2009-09-13 00:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 23:15 . 2009-09-12 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 22:04 . 2009-09-12 22:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\program files\Common Files\ParetoLogic

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-12 21:42 . 2009-09-12 21:42 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\Downloaded Installations

2009-09-12 21:19 . 2009-09-12 21:19 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-04 00:02 . 2009-09-15 00:57 -------- dc----w- C:\alg

2009-09-04 00:02 . 2002-04-24 13:32 26832 -c--a-w- c:\windows\system\CTL3DV2.DLL

2009-09-03 18:07 . 2009-09-03 18:07 41872 -c--a-w- c:\windows\system32\xfcodec.dll

2009-09-02 12:57 . 2009-09-13 12:48 45 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences2.dat

2009-09-02 03:28 . 2009-09-02 03:28 -------- dc----w- c:\windows\system32\log

2009-09-02 03:27 . 2009-09-16 23:16 -------- dc----w- c:\program files\Trend Micro

2009-09-02 00:05 . 2009-09-02 00:31 -------- dc----w- C:\vcs5BGEffects

2009-09-02 00:05 . 2009-09-02 00:35 -------- dc----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-09-01 23:55 . 2009-09-01 23:55 -------- dc----w- C:\AV_LOGS

2009-09-01 23:53 . 2008-12-10 20:56 17792 -c--a-w- c:\windows\system32\drivers\vcsvad.sys

2009-09-01 23:53 . 2009-09-01 23:56 -------- dc----w- c:\program files\AV Vcs 7.0 GOLD

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Screaming Bee

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\program files\Screaming Bee

2009-08-29 21:03 . 2009-09-03 14:47 -------- dc----w- c:\program files\TuneUpMedia

2009-08-29 21:03 . 2009-09-15 23:36 -------- dc----w- c:\documents and settings\Harsh\Application Data\TuneUpMedia

2009-08-29 21:03 . 2009-08-29 21:03 -------- dc----w- c:\documents and settings\All Users\Application Data\TuneUpMedia

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\TempDVD

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\dvdsanta

2009-08-28 00:26 . 2009-08-28 00:26 164056 -c--a-w- c:\windows\Crazi Video Pro Uninstaller.exe

2009-08-27 01:34 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc----w- c:\program files\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{56E59A1F-0DC5-4811-98E4-BA033E048C84}

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\program files\NVIDIA Corporation

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-23 14:57 . 2009-08-23 14:57 -------- dc----w- C:\NVIDIA

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-17 16:04 . 2008-09-27 22:55 -------- dc----w- c:\program files\PeerGuardian2

2009-09-17 03:40 . 2008-10-04 23:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Xfire

2009-09-16 18:18 . 2008-10-04 23:05 -------- dc----w- c:\program files\Xfire

2009-09-16 04:46 . 2008-09-28 03:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Azureus

2009-09-16 02:32 . 2008-09-27 23:01 -------- dc----w- c:\program files\RegScrubXP

2009-09-16 02:06 . 2009-05-03 23:24 189104 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-09-16 01:30 . 2009-06-24 21:07 139584 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-09-16 00:33 . 2008-09-27 22:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\mIRC

2009-09-16 00:33 . 2008-09-27 22:40 -------- dc----w- c:\program files\mIRC

2009-09-15 23:17 . 2008-09-28 00:08 -------- dc----w- c:\documents and settings\Harsh\Application Data\LimeWire

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-13 14:21 . 2008-10-07 20:30 37 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences.dat

2009-09-13 00:51 . 2008-09-27 22:50 -------- dc----w- c:\program files\Spybot - Search & Destroy

2009-09-13 00:51 . 2008-09-27 22:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-13 00:32 . 2009-01-13 02:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\id Software

2009-09-13 00:31 . 2009-04-30 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc----w- c:\program files\Lavasoft

2009-09-12 22:05 . 2008-09-27 22:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-10 15:48 . 2009-03-21 19:09 -------- dc----w- c:\program files\Microsoft Silverlight

2009-09-10 03:27 . 2009-04-25 00:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-29 21:03 . 2008-12-26 22:47 -------- dc----w- c:\program files\iTunes

2009-08-29 21:02 . 2008-09-28 03:48 -------- dc----w- c:\program files\Vuze

2009-08-29 03:14 . 2008-12-24 19:44 -------- dc----w- c:\documents and settings\Harsh\Application Data\DVD Flick

2009-08-29 03:14 . 2008-12-24 19:40 -------- dc----w- c:\program files\dvdSanta

2009-08-29 02:53 . 2008-10-09 01:50 -------- dc----w- c:\program files\DivX

2009-08-29 02:53 . 2009-07-11 04:52 -------- dc----w- c:\program files\Common Files\DivX Shared

2009-08-29 02:16 . 2009-07-14 03:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\Hamachi

2009-08-28 01:35 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\Harsh\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\Common Files\River Past

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\All Users\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\River Past

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\AGEIA Technologies

2009-08-22 20:50 . 2008-10-19 01:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\Apple Computer

2009-08-20 00:02 . 2009-02-23 00:06 56324 -c-ha-w- c:\windows\system32\mlfcache.dat

2009-08-17 07:04 . 2009-08-17 07:04 2173472 -c--a-w- c:\windows\system32\nvcplui.exe

2009-08-17 07:04 . 2009-08-17 07:04 81920 -c--a-w- c:\windows\system32\nvwddi.dll

2009-08-17 07:03 . 2009-08-17 07:03 3170304 -c--a-w- c:\windows\system32\nvwss.dll

2009-08-17 07:03 . 2009-08-17 07:03 4026368 -c--a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 07:03 . 2009-08-17 07:03 188416 -c--a-w- c:\windows\system32\nvmccss.dll

2009-08-17 07:03 . 2009-08-17 07:03 1286144 -c--a-w- c:\windows\system32\nvmobls.dll

2009-08-17 07:03 . 2009-08-17 07:03 3547136 -c--a-w- c:\windows\system32\nvgames.dll

2009-08-17 07:03 . 2009-08-17 07:03 4923392 -c--a-w- c:\windows\system32\nvdisps.dll

2009-08-17 07:03 . 2009-08-17 07:03 86016 -c--a-w- c:\windows\system32\nvmctray.dll

2009-08-17 07:03 . 2009-08-17 07:03 168004 -c--a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 07:03 . 2009-08-17 07:03 143360 -c--a-w- c:\windows\system32\nvcolor.exe

2009-08-17 07:03 . 2009-08-17 07:03 13877248 -c--a-w- c:\windows\system32\nvcpl.dll

2009-08-17 07:02 . 2009-08-17 07:02 229376 -c--a-w- c:\windows\system32\nvmccs.dll

2009-08-17 04:57 . 2009-08-17 04:57 2189856 -c--a-w- c:\windows\system32\nvcuvid.dll

2009-08-17 04:57 . 2009-08-17 04:57 1706528 -c--a-w- c:\windows\system32\nvcuvenc.dll

2009-08-17 04:57 . 2009-08-17 04:57 1597690 -c--a-w- c:\windows\system32\nvdata.bin

2009-08-17 04:57 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\nvudisp.exe

2009-08-17 04:57 . 2009-01-18 03:16 10457088 -c--a-w- c:\windows\system32\nvoglnt.dll

2009-08-17 04:57 . 2009-01-18 03:16 868352 -c--a-w- c:\windows\system32\nvapi.dll

2009-08-17 04:57 . 2009-01-18 03:16 2002944 -c--a-w- c:\windows\system32\nvcuda.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcodins.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcod.dll

2009-08-17 04:57 . 2008-09-17 13:55 7729568 -c--a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-17 04:57 . 2008-09-17 13:55 5845760 -c--a-w- c:\windows\system32\nv4_disp.dll

2009-08-14 17:36 . 2009-08-14 17:36 70936 -c--a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 18:34 . 2008-10-22 00:47 -------- dc----w- c:\program files\Opera

2009-08-11 21:33 . 2009-08-11 21:33 -------- dc----w- c:\program files\CrossLoop

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\program files\DVD Shrink

2009-08-11 16:35 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\NVUNINST.EXE

2009-08-10 00:30 . 2009-08-10 00:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Download Manager

2009-08-08 22:42 . 2008-09-27 22:00 -------- dc-h--w- c:\program files\InstallShield Installation Information

2009-08-08 21:27 . 2009-08-08 21:27 -------- dc----w- c:\program files\LimeWire

2009-08-05 09:11 . 2004-08-03 23:56 204800 -c--a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 21:41 . 2009-08-03 20:30 -------- dc----w- c:\documents and settings\Harsh\Application Data\mp3rocket

2009-08-03 20:31 . 2009-08-03 20:30 -------- dc----w- c:\program files\MP3 Rocket

2009-08-03 04:21 . 2009-08-03 04:21 23320 -c--a-w- c:\windows\system32\PhysXDevice.dll

2009-08-03 01:50 . 2009-08-03 01:50 -------- dc----w- c:\program files\Sorian AI Mod

2009-07-29 21:36 . 2008-09-28 14:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\vlc

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\documents and settings\Harsh\Application Data\MozillaControl

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12

2009-07-29 21:21 . 2009-07-29 21:20 -------- dc----w- c:\program files\Graboid

2009-07-26 22:48 . 2008-10-02 19:35 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-26 22:35 . 2008-10-19 01:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-26 22:33 . 2009-07-26 22:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 22:32 . 2009-07-26 22:32 -------- dc----w- c:\program files\iPod

2009-07-26 22:32 . 2008-10-19 01:21 -------- dc----w- c:\program files\Common Files\Apple

2009-07-26 22:31 . 2009-07-26 22:31 -------- dc----w- c:\program files\Bonjour

2009-07-26 22:31 . 2008-12-26 21:36 -------- dc----w- c:\program files\QuickTime

2009-07-25 12:20 . 2008-10-02 19:35 -------- dc----w- c:\program files\NOS

2009-07-22 20:00 . 2009-07-22 20:00 -------- dc----w- c:\program files\Driver Sweeper

2009-07-17 20:52 . 2008-09-27 21:08 68456 -c--a-w- c:\documents and settings\Harsh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2007-09-20 04:50 286208 -c--a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-26 22:30 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-26 20:50 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2007-09-20 04:59 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-03 23:56 95744 -c--a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-03 23:56 661504 -c--a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-03 23:56 517120 -c--a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-03 23:56 48640 -c--a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-03 23:56 471552 -c--a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-03 23:56 47104 -c--a-w- c:\windows\system32\mqdscli.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2009-05-29 . C86970F63DAFFB97D8221A0136DF3224 . 360960 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS

[-] 2009-05-29 . C86970F63DAFFB97D8221A0136DF3224 . 360960 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys

[7] 2007-09-20 . E6B15BCC470953E600EF7ADED3CAB142 . 360704 . . [5.1.2600.3002] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

"EVEREST AutoStart"="c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe" [2008-12-24 2159200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.23\RivaTuner.exe" [2009-02-15 2777088]

"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-07-20 714024]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MAM\mam.exe" [2009-09-10 1312080]

"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Aim6"=

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

"RGSC"=c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

"mount.exe"=c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe /z

"PSwitch"=c:\docume~1\Harsh\LOCALS~1\Temp\RarSFX0\App\ProxySwitcher.exe

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"CmUsbSound"=RunDll32 cmcnfgu.cpl,CMICtrlWnd

"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /install

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"RTHDCPL"=RTHDCPL.EXE

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Alcmtr"=ALCMTR.EXE

"AlcWzrd"=ALCWZRD.EXE

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"SoundMan"=SOUNDMAN.EXE

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"e:\\Games\\UnrealTournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"24537:TCP"= 24537:TCP:*:Disabled:vuze

"24537:UDP"= 24537:UDP:*:Disabled:vuze1

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/26/2009 10:26 PM 64160]

R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/7/2008 3:17 PM 15976]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/12/2009 8:53 PM 36368]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/27/2008 8:35 PM 22784]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/12/2009 8:53 PM 335888]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [9/1/2009 7:53 PM 17792]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [9/28/2008 1:18 AM 26144]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/12/2009 8:53 PM 225296]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/15/2009 5:04 PM 24652]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [1/31/2009 8:19 PM 37488]

S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [3/25/2009 12:35 PM 25472]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [9/12/2009 8:53 PM 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [9/12/2009 8:53 PM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - PGFILTER

*Deregistered* - MBAMSwissArmy

*Deregistered* - mchInjDrv

*Deregistered* - pgfilter

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-12-06 14:38]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.gamespot.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\documents and settings\Harsh\Application Data\Move Networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-17 12:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6b,15,45,50,47,ea,b4,ce,7d,5e,7e,12,06,78,44,cd,41,1b,1d,4f,f6,bc,04,

e1,ce,1e,1d,79,84,0c,d7,a8,c6,38,e6,85,5d,60,fe,ad,d8,1b,f1,45,a0,08,e6,00,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:87,8d,0f,e6,99,03,5b,33,19,70,fa,de,cf,5c,7d,98,0a,f7,43,26,0f,

bd,f2,27,ed,a1,ec,3c,95,3f,cf,f9,32,a5,23,3a,a9,bf,1d,4b,3b,70,d6,f1,26,85,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

Completion time: 2009-09-17 12:14

ComboFix-quarantined-files.txt 2009-09-17 16:14

Pre-Run: 5,861,773,312 bytes free

Post-Run: 6,052,184,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

400 --- E O F --- 2009-09-10 03:29

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:23:16 PM, on 9/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\dkservice.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Documents and Settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\TEMP\SZ2FA2.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe

C:\WINDOWS\system32\pnkbstrb.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Xfire\xfire.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.23\RivaTuner.exe" /S

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MAM\mam.exe" /runcleanupscript

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"

O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Documents and Settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8459 bytes

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (Avira, Norton, and Trend Micro). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Also, I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FCOPY::

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\TCPIP.SYS

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\TCPIP.SYS

KILLALL::

Registry::

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Aim6"=-

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

Hello screen.

Avira and Norton Antivirus do not show up under add/remove programs area. I am pretty sure I do not have either of them installed. I tried installing both of them last week before the rootkit.tdss got removed yesterday (don't ask me how but rootkit.tdss does not show up anymore under MBAM after scanning last night) but it kept getting blocked while trying to install when I tried last week. The only AV program that I know I have installed currently and working is Trend Micro Open Office. I uninstalled Viewpoint Manager btw.

It is still showing up under ComboFix.. From those 4 listed anti-virus programs, I only have Trend Micro OfficeScan AntiVirus istalled. None of the other 3 are installed - doesn't make sense. Maybe it is stuck in the registry someplace? I used RegScrubXP and it does not show up under there.. I dunno..

-H.S

ComboFix 09-09-16.05 - Harsh 09/18/2009 13:14.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2810 [GMT -4:00]

Running from: c:\documents and settings\Harsh\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Harsh\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus Gaming Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9AC2629D-D77E-4A61-9E41-C3603E4B7582}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\drivers\TCPIP.SYS

c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys --> c:\windows\system32\dllcache\TCPIP.SYS

.

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))

.

2009-09-18 02:23 . 2009-09-18 02:23 -------- dc----w- c:\documents and settings\Harsh\Application Data\DAEMON Tools Lite

2009-09-17 23:41 . 2009-09-17 23:43 -------- dc----w- c:\program files\Spybot - Search & Destroy

2009-09-16 22:32 . 2009-09-16 22:32 -------- dc----w- c:\program files\Enigma Software Group

2009-09-16 20:47 . 2009-09-16 20:47 -------- dc----w- c:\documents and settings\Harsh\Application Data\Malwarebytes

2009-09-16 20:45 . 2009-09-10 18:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 20:45 . 2009-09-16 20:47 -------- dc----w- c:\program files\MAM

2009-09-16 20:45 . 2009-09-10 18:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 00:56 . 2009-05-07 07:04 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-13 00:54 . 2009-09-13 00:54 -------- dc----w- C:\VIRUS

2009-09-13 00:53 . 2009-07-20 16:00 72072 -c--a-w- c:\windows\system32\drivers\tmtdi.sys

2009-09-13 00:53 . 2009-07-20 16:00 335888 -c--a-w- c:\windows\system32\drivers\TM_CFW.sys

2009-09-13 00:22 . 2009-09-13 00:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\AVG8

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\program files\FreeFixer

2009-09-12 23:46 . 2009-09-13 00:33 -------- dc----w- c:\program files\Panda Security

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-12 23:15 . 2009-09-13 00:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 23:15 . 2009-09-12 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 22:04 . 2009-09-12 22:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\program files\Common Files\ParetoLogic

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-12 21:42 . 2009-09-12 21:42 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\Downloaded Installations

2009-09-12 21:19 . 2009-09-12 21:19 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-04 00:02 . 2009-09-15 00:57 -------- dc----w- C:\alg

2009-09-04 00:02 . 2002-04-24 13:32 26832 -c--a-w- c:\windows\system\CTL3DV2.DLL

2009-09-03 18:07 . 2009-09-03 18:07 41872 -c--a-w- c:\windows\system32\xfcodec.dll

2009-09-02 12:57 . 2009-09-13 12:48 45 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences2.dat

2009-09-02 03:28 . 2009-09-02 03:28 -------- dc----w- c:\windows\system32\log

2009-09-02 03:27 . 2009-09-16 23:16 -------- dc----w- c:\program files\Trend Micro

2009-09-02 00:05 . 2009-09-02 00:31 -------- dc----w- C:\vcs5BGEffects

2009-09-02 00:05 . 2009-09-02 00:35 -------- dc----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-09-01 23:55 . 2009-09-01 23:55 -------- dc----w- C:\AV_LOGS

2009-09-01 23:53 . 2008-12-10 20:56 17792 -c--a-w- c:\windows\system32\drivers\vcsvad.sys

2009-09-01 23:53 . 2009-09-01 23:56 -------- dc----w- c:\program files\AV Vcs 7.0 GOLD

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Screaming Bee

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\program files\Screaming Bee

2009-08-29 21:03 . 2009-09-03 14:47 -------- dc----w- c:\program files\TuneUpMedia

2009-08-29 21:03 . 2009-09-15 23:36 -------- dc----w- c:\documents and settings\Harsh\Application Data\TuneUpMedia

2009-08-29 21:03 . 2009-08-29 21:03 -------- dc----w- c:\documents and settings\All Users\Application Data\TuneUpMedia

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\TempDVD

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\dvdsanta

2009-08-28 00:26 . 2009-08-28 00:26 164056 -c--a-w- c:\windows\Crazi Video Pro Uninstaller.exe

2009-08-27 01:34 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc----w- c:\program files\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{56E59A1F-0DC5-4811-98E4-BA033E048C84}

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\program files\NVIDIA Corporation

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-23 14:57 . 2009-08-23 14:57 -------- dc----w- C:\NVIDIA

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-18 17:18 . 2008-09-27 22:55 -------- dc----w- c:\program files\PeerGuardian2

2009-09-18 17:12 . 2008-09-28 03:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Azureus

2009-09-18 17:02 . 2008-09-27 22:30 -------- dc----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-18 03:26 . 2008-10-04 23:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Xfire

2009-09-18 03:26 . 2008-09-27 22:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\mIRC

2009-09-18 02:23 . 2008-09-27 23:55 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-09-17 23:46 . 2008-09-27 22:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-17 23:25 . 2008-09-27 22:40 -------- dc----w- c:\program files\mIRC

2009-09-17 21:20 . 2008-10-04 23:05 -------- dc----w- c:\program files\Xfire

2009-09-17 19:48 . 2009-05-03 23:24 189184 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-09-17 19:08 . 2009-06-24 21:07 138064 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-09-16 02:32 . 2008-09-27 23:01 -------- dc----w- c:\program files\RegScrubXP

2009-09-15 23:17 . 2008-09-28 00:08 -------- dc----w- c:\documents and settings\Harsh\Application Data\LimeWire

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-13 14:21 . 2008-10-07 20:30 37 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences.dat

2009-09-13 00:32 . 2009-01-13 02:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\id Software

2009-09-13 00:31 . 2009-04-30 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc----w- c:\program files\Lavasoft

2009-09-12 22:05 . 2008-09-27 22:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-10 15:48 . 2009-03-21 19:09 -------- dc----w- c:\program files\Microsoft Silverlight

2009-09-10 03:27 . 2009-04-25 00:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-29 21:03 . 2008-12-26 22:47 -------- dc----w- c:\program files\iTunes

2009-08-29 21:02 . 2008-09-28 03:48 -------- dc----w- c:\program files\Vuze

2009-08-29 03:14 . 2008-12-24 19:44 -------- dc----w- c:\documents and settings\Harsh\Application Data\DVD Flick

2009-08-29 03:14 . 2008-12-24 19:40 -------- dc----w- c:\program files\dvdSanta

2009-08-29 02:53 . 2008-10-09 01:50 -------- dc----w- c:\program files\DivX

2009-08-29 02:53 . 2009-07-11 04:52 -------- dc----w- c:\program files\Common Files\DivX Shared

2009-08-29 02:16 . 2009-07-14 03:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\Hamachi

2009-08-28 01:35 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\Harsh\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\Common Files\River Past

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\All Users\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\River Past

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\AGEIA Technologies

2009-08-22 20:50 . 2008-10-19 01:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\Apple Computer

2009-08-20 00:02 . 2009-02-23 00:06 56324 -c-ha-w- c:\windows\system32\mlfcache.dat

2009-08-17 07:04 . 2009-08-17 07:04 2173472 -c--a-w- c:\windows\system32\nvcplui.exe

2009-08-17 07:04 . 2009-08-17 07:04 81920 -c--a-w- c:\windows\system32\nvwddi.dll

2009-08-17 07:03 . 2009-08-17 07:03 3170304 -c--a-w- c:\windows\system32\nvwss.dll

2009-08-17 07:03 . 2009-08-17 07:03 4026368 -c--a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 07:03 . 2009-08-17 07:03 188416 -c--a-w- c:\windows\system32\nvmccss.dll

2009-08-17 07:03 . 2009-08-17 07:03 1286144 -c--a-w- c:\windows\system32\nvmobls.dll

2009-08-17 07:03 . 2009-08-17 07:03 3547136 -c--a-w- c:\windows\system32\nvgames.dll

2009-08-17 07:03 . 2009-08-17 07:03 4923392 -c--a-w- c:\windows\system32\nvdisps.dll

2009-08-17 07:03 . 2009-08-17 07:03 86016 -c--a-w- c:\windows\system32\nvmctray.dll

2009-08-17 07:03 . 2009-08-17 07:03 168004 -c--a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 07:03 . 2009-08-17 07:03 143360 -c--a-w- c:\windows\system32\nvcolor.exe

2009-08-17 07:03 . 2009-08-17 07:03 13877248 -c--a-w- c:\windows\system32\nvcpl.dll

2009-08-17 07:02 . 2009-08-17 07:02 229376 -c--a-w- c:\windows\system32\nvmccs.dll

2009-08-17 04:57 . 2009-08-17 04:57 2189856 -c--a-w- c:\windows\system32\nvcuvid.dll

2009-08-17 04:57 . 2009-08-17 04:57 1706528 -c--a-w- c:\windows\system32\nvcuvenc.dll

2009-08-17 04:57 . 2009-08-17 04:57 1597690 -c--a-w- c:\windows\system32\nvdata.bin

2009-08-17 04:57 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\nvudisp.exe

2009-08-17 04:57 . 2009-01-18 03:16 10457088 -c--a-w- c:\windows\system32\nvoglnt.dll

2009-08-17 04:57 . 2009-01-18 03:16 868352 -c--a-w- c:\windows\system32\nvapi.dll

2009-08-17 04:57 . 2009-01-18 03:16 2002944 -c--a-w- c:\windows\system32\nvcuda.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcodins.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcod.dll

2009-08-17 04:57 . 2008-09-17 13:55 7729568 -c--a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-17 04:57 . 2008-09-17 13:55 5845760 -c--a-w- c:\windows\system32\nv4_disp.dll

2009-08-14 17:36 . 2009-08-14 17:36 70936 -c--a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 18:34 . 2008-10-22 00:47 -------- dc----w- c:\program files\Opera

2009-08-11 21:33 . 2009-08-11 21:33 -------- dc----w- c:\program files\CrossLoop

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\program files\DVD Shrink

2009-08-11 16:35 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\NVUNINST.EXE

2009-08-10 00:30 . 2009-08-10 00:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Download Manager

2009-08-08 22:42 . 2008-09-27 22:00 -------- dc-h--w- c:\program files\InstallShield Installation Information

2009-08-08 21:27 . 2009-08-08 21:27 -------- dc----w- c:\program files\LimeWire

2009-08-05 09:11 . 2004-08-03 23:56 204800 -c--a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 21:41 . 2009-08-03 20:30 -------- dc----w- c:\documents and settings\Harsh\Application Data\mp3rocket

2009-08-03 20:31 . 2009-08-03 20:30 -------- dc----w- c:\program files\MP3 Rocket

2009-08-03 04:21 . 2009-08-03 04:21 23320 -c--a-w- c:\windows\system32\PhysXDevice.dll

2009-08-03 01:50 . 2009-08-03 01:50 -------- dc----w- c:\program files\Sorian AI Mod

2009-07-29 21:36 . 2008-09-28 14:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\vlc

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\documents and settings\Harsh\Application Data\MozillaControl

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12

2009-07-29 21:21 . 2009-07-29 21:20 -------- dc----w- c:\program files\Graboid

2009-07-26 22:48 . 2008-10-02 19:35 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-26 22:35 . 2008-10-19 01:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-26 22:33 . 2009-07-26 22:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 22:32 . 2009-07-26 22:32 -------- dc----w- c:\program files\iPod

2009-07-26 22:32 . 2008-10-19 01:21 -------- dc----w- c:\program files\Common Files\Apple

2009-07-26 22:31 . 2009-07-26 22:31 -------- dc----w- c:\program files\Bonjour

2009-07-26 22:31 . 2008-12-26 21:36 -------- dc----w- c:\program files\QuickTime

2009-07-25 12:20 . 2008-10-02 19:35 -------- dc----w- c:\program files\NOS

2009-07-22 20:00 . 2009-07-22 20:00 -------- dc----w- c:\program files\Driver Sweeper

2009-07-17 20:52 . 2008-09-27 21:08 68456 -c--a-w- c:\documents and settings\Harsh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2007-09-20 04:50 286208 -c--a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-26 22:30 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-26 20:50 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2007-09-20 04:59 915456 ------w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-03 23:56 95744 -c--a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-03 23:56 661504 -c--a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-03 23:56 517120 -c--a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-03 23:56 48640 -c--a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-03 23:56 471552 -c--a-w- c:\windows\system32\mqutil.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_16.13.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-18 17:17 . 2009-09-18 17:17 16384 c:\windows\temp\Perflib_Perfdata_130.dat

+ 2009-09-18 17:18 . 2009-07-20 16:01 296224 c:\windows\temp\CGE222.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

"EVEREST AutoStart"="c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe" [2008-12-24 2159200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.23\RivaTuner.exe" [2009-02-15 2777088]

"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-07-20 714024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

"RGSC"=c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

"mount.exe"=c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe /z

"PSwitch"=c:\docume~1\Harsh\LOCALS~1\Temp\RarSFX0\App\ProxySwitcher.exe

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"CmUsbSound"=RunDll32 cmcnfgu.cpl,CMICtrlWnd

"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /install

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"RTHDCPL"=RTHDCPL.EXE

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Alcmtr"=ALCMTR.EXE

"AlcWzrd"=ALCWZRD.EXE

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"SoundMan"=SOUNDMAN.EXE

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MAM\mam.exe" /runcleanupscript

"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"e:\\Games\\UnrealTournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"24537:TCP"= 24537:TCP:vuze

"24537:UDP"= 24537:UDP:*:Disabled:vuze1

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/26/2009 10:26 PM 64160]

R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/7/2008 3:17 PM 15976]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/12/2009 8:53 PM 36368]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/27/2008 8:35 PM 22784]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/12/2009 8:53 PM 335888]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [9/1/2009 7:53 PM 17792]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [9/28/2008 1:18 AM 26144]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/12/2009 8:53 PM 225296]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [1/31/2009 8:19 PM 37488]

S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [3/25/2009 12:35 PM 25472]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [9/12/2009 8:53 PM 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [9/12/2009 8:53 PM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

*Deregistered* - pgfilter

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-12-06 14:38]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.gamespot.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\documents and settings\Harsh\Application Data\Move Networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-18 13:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6b,15,45,50,47,ea,b4,ce,7d,5e,7e,12,06,78,44,cd,41,1b,1d,4f,f6,bc,04,

e1,ce,1e,1d,79,84,0c,d7,a8,c6,38,e6,85,5d,60,fe,ad,d8,1b,f1,45,a0,08,e6,00,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:87,8d,0f,e6,99,03,5b,33,19,70,fa,de,cf,5c,7d,98,0a,f7,43,26,0f,

bd,f2,27,ed,a1,ec,3c,95,3f,cf,f9,32,a5,23,3a,a9,bf,1d,4b,3b,70,d6,f1,26,85,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3084)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Creative\Shared Files\CTDevSrv.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Razer\DeathAdder\razerofa.exe

c:\program files\Trend Micro\OfficeScan Client\Misc\xpupg.exe

c:\program files\Trend Micro\OfficeScan Client\PccNTUpd.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-18 13:22 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-18 17:21

ComboFix2.txt 2009-09-17 16:14

Pre-Run: 5,579,206,656 bytes free

Post-Run: 5,872,115,712 bytes free

358 --- E O F --- 2009-09-10 03:29

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:24:44 PM, on 9/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\dkservice.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.23\RivaTuner.exe" /S

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"

O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Documents and Settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--

End of file - 7220 bytes

Link to post
Share on other sites

  • Staff

Hi,

Avira and Norton Antivirus do not show up under add/remove programs area. I am pretty sure I do not have either of them installed. I tried installing both of them last week before
Okay, we'll remove the remnants manually.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

SecCenter::

{AD166499-45F9-482A-A743-FDD3350758C7}

{E10A9785-9598-4754-B552-92431C1C35F8}

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites

Hey, sorry about the late response. I still cannot get rid of AntiVir and Norton AntiVirus thing.

Thanks

ComboFix 09-09-22.01 - Harsh 09/22/2009 18:33.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2442 [GMT -4:00]

Running from: c:\documents and settings\Harsh\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Harsh\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus Gaming Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9AC2629D-D77E-4A61-9E41-C3603E4B7582}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))

.

2009-09-20 23:23 . 2009-09-20 23:23 -------- dc----w- c:\program files\JoshMadison

2009-09-18 22:37 . 2009-09-18 22:37 -------- dc----w- c:\documents and settings\NetworkService\Application Data\Azureus

2009-09-18 21:31 . 2009-09-18 21:31 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-09-18 21:31 . 2009-09-18 21:31 -------- dc----w- c:\program files\DAEMON Tools Toolbar

2009-09-18 21:31 . 2009-09-20 20:38 -------- dc----w- c:\program files\DAEMON Tools Lite

2009-09-18 19:43 . 2009-09-18 19:43 -------- dc----w- C:\Downloads

2009-09-18 02:23 . 2009-09-18 21:53 -------- dc----w- c:\documents and settings\Harsh\Application Data\DAEMON Tools Lite

2009-09-17 23:41 . 2009-09-17 23:43 -------- dc----w- c:\program files\Spybot - Search & Destroy

2009-09-16 22:32 . 2009-09-16 22:32 -------- dc----w- c:\program files\Enigma Software Group

2009-09-16 20:47 . 2009-09-16 20:47 -------- dc----w- c:\documents and settings\Harsh\Application Data\Malwarebytes

2009-09-16 20:45 . 2009-09-10 18:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 20:45 . 2009-09-16 20:47 -------- dc----w- c:\program files\MAM

2009-09-16 20:45 . 2009-09-10 18:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 00:56 . 2009-05-07 07:04 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-13 00:54 . 2009-09-13 00:54 -------- dc----w- C:\VIRUS

2009-09-13 00:53 . 2009-07-20 16:00 72072 -c--a-w- c:\windows\system32\drivers\tmtdi.sys

2009-09-13 00:53 . 2009-07-20 16:00 335888 -c--a-w- c:\windows\system32\drivers\TM_CFW.sys

2009-09-13 00:22 . 2009-09-13 00:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\AVG8

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\program files\FreeFixer

2009-09-12 23:46 . 2009-09-13 00:33 -------- dc----w- c:\program files\Panda Security

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-12 23:15 . 2009-09-13 00:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 23:15 . 2009-09-12 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 22:04 . 2009-09-12 22:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\program files\Common Files\ParetoLogic

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-12 21:42 . 2009-09-12 21:42 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\Downloaded Installations

2009-09-12 21:19 . 2009-09-12 21:19 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-04 00:02 . 2009-09-15 00:57 -------- dc----w- C:\alg

2009-09-04 00:02 . 2002-04-24 13:32 26832 -c--a-w- c:\windows\system\CTL3DV2.DLL

2009-09-03 18:07 . 2009-09-03 18:07 41872 -c--a-w- c:\windows\system32\xfcodec.dll

2009-09-02 12:57 . 2009-09-20 11:54 45 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences2.dat

2009-09-02 03:28 . 2009-09-02 03:28 -------- dc----w- c:\windows\system32\log

2009-09-02 03:27 . 2009-09-16 23:16 -------- dc----w- c:\program files\Trend Micro

2009-09-02 00:05 . 2009-09-02 00:31 -------- dc----w- C:\vcs5BGEffects

2009-09-02 00:05 . 2009-09-02 00:35 -------- dc----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-09-01 23:55 . 2009-09-01 23:55 -------- dc----w- C:\AV_LOGS

2009-09-01 23:53 . 2008-12-10 20:56 17792 -c--a-w- c:\windows\system32\drivers\vcsvad.sys

2009-09-01 23:53 . 2009-09-01 23:56 -------- dc----w- c:\program files\AV Vcs 7.0 GOLD

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Screaming Bee

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\program files\Screaming Bee

2009-08-29 21:03 . 2009-09-03 14:47 -------- dc----w- c:\program files\TuneUpMedia

2009-08-29 21:03 . 2009-09-19 19:09 -------- dc----w- c:\documents and settings\Harsh\Application Data\TuneUpMedia

2009-08-29 21:03 . 2009-08-29 21:03 -------- dc----w- c:\documents and settings\All Users\Application Data\TuneUpMedia

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\TempDVD

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\dvdsanta

2009-08-28 00:26 . 2009-08-28 00:26 164056 -c--a-w- c:\windows\Crazi Video Pro Uninstaller.exe

2009-08-27 01:34 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc----w- c:\program files\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{56E59A1F-0DC5-4811-98E4-BA033E048C84}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 22:35 . 2008-09-27 22:55 -------- dc----w- c:\program files\PeerGuardian2

2009-09-22 22:29 . 2008-10-04 23:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Xfire

2009-09-22 21:31 . 2008-10-04 23:05 -------- dc----w- c:\program files\Xfire

2009-09-22 02:26 . 2008-09-27 22:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\mIRC

2009-09-21 19:01 . 2008-09-28 03:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Azureus

2009-09-21 03:10 . 2008-09-27 22:40 -------- dc----w- c:\program files\mIRC

2009-09-21 02:32 . 2009-05-03 23:24 189104 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-09-21 01:50 . 2009-06-24 21:07 139584 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-09-20 13:26 . 2008-10-07 20:30 37 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences.dat

2009-09-19 19:09 . 2008-09-28 00:08 -------- dc----w- c:\documents and settings\Harsh\Application Data\LimeWire

2009-09-19 04:30 . 2008-09-27 22:00 -------- dc-h--w- c:\program files\InstallShield Installation Information

2009-09-18 22:51 . 2009-05-17 00:35 -------- dc----w- c:\documents and settings\Harsh\Application Data\Orbit

2009-09-18 17:35 . 2008-09-27 23:01 -------- dc----w- c:\program files\RegScrubXP

2009-09-18 17:02 . 2008-09-27 22:30 -------- dc----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-18 02:23 . 2008-09-27 23:55 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-09-17 23:46 . 2008-09-27 22:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-13 00:32 . 2009-01-13 02:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\id Software

2009-09-13 00:31 . 2009-04-30 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc----w- c:\program files\Lavasoft

2009-09-12 22:05 . 2008-09-27 22:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-10 15:48 . 2009-03-21 19:09 -------- dc----w- c:\program files\Microsoft Silverlight

2009-09-10 03:27 . 2009-04-25 00:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-29 21:03 . 2008-12-26 22:47 -------- dc----w- c:\program files\iTunes

2009-08-29 21:02 . 2008-09-28 03:48 -------- dc----w- c:\program files\Vuze

2009-08-29 03:14 . 2008-12-24 19:44 -------- dc----w- c:\documents and settings\Harsh\Application Data\DVD Flick

2009-08-29 03:14 . 2008-12-24 19:40 -------- dc----w- c:\program files\dvdSanta

2009-08-29 02:53 . 2008-10-09 01:50 -------- dc----w- c:\program files\DivX

2009-08-29 02:53 . 2009-07-11 04:52 -------- dc----w- c:\program files\Common Files\DivX Shared

2009-08-29 02:16 . 2009-07-14 03:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\Hamachi

2009-08-28 01:35 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\Harsh\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\Common Files\River Past

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\All Users\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\River Past

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\AGEIA Technologies

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\program files\NVIDIA Corporation

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-22 20:50 . 2008-10-19 01:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\Apple Computer

2009-08-20 00:02 . 2009-02-23 00:06 56324 -c-ha-w- c:\windows\system32\mlfcache.dat

2009-08-17 07:04 . 2009-08-17 07:04 2173472 -c--a-w- c:\windows\system32\nvcplui.exe

2009-08-17 07:04 . 2009-08-17 07:04 81920 -c--a-w- c:\windows\system32\nvwddi.dll

2009-08-17 07:03 . 2009-08-17 07:03 3170304 -c--a-w- c:\windows\system32\nvwss.dll

2009-08-17 07:03 . 2009-08-17 07:03 4026368 -c--a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 07:03 . 2009-08-17 07:03 188416 -c--a-w- c:\windows\system32\nvmccss.dll

2009-08-17 07:03 . 2009-08-17 07:03 1286144 -c--a-w- c:\windows\system32\nvmobls.dll

2009-08-17 07:03 . 2009-08-17 07:03 3547136 -c--a-w- c:\windows\system32\nvgames.dll

2009-08-17 07:03 . 2009-08-17 07:03 4923392 -c--a-w- c:\windows\system32\nvdisps.dll

2009-08-17 07:03 . 2009-08-17 07:03 86016 -c--a-w- c:\windows\system32\nvmctray.dll

2009-08-17 07:03 . 2009-08-17 07:03 168004 -c--a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 07:03 . 2009-08-17 07:03 143360 -c--a-w- c:\windows\system32\nvcolor.exe

2009-08-17 07:03 . 2009-08-17 07:03 13877248 -c--a-w- c:\windows\system32\nvcpl.dll

2009-08-17 07:02 . 2009-08-17 07:02 229376 -c--a-w- c:\windows\system32\nvmccs.dll

2009-08-17 04:57 . 2009-08-17 04:57 2189856 -c--a-w- c:\windows\system32\nvcuvid.dll

2009-08-17 04:57 . 2009-08-17 04:57 1706528 -c--a-w- c:\windows\system32\nvcuvenc.dll

2009-08-17 04:57 . 2009-08-17 04:57 1597690 -c--a-w- c:\windows\system32\nvdata.bin

2009-08-17 04:57 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\nvudisp.exe

2009-08-17 04:57 . 2009-01-18 03:16 10457088 -c--a-w- c:\windows\system32\nvoglnt.dll

2009-08-17 04:57 . 2009-01-18 03:16 868352 -c--a-w- c:\windows\system32\nvapi.dll

2009-08-17 04:57 . 2009-01-18 03:16 2002944 -c--a-w- c:\windows\system32\nvcuda.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcodins.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcod.dll

2009-08-17 04:57 . 2008-09-17 13:55 7729568 -c--a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-17 04:57 . 2008-09-17 13:55 5845760 -c--a-w- c:\windows\system32\nv4_disp.dll

2009-08-14 17:36 . 2009-08-14 17:36 70936 -c--a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 18:34 . 2008-10-22 00:47 -------- dc----w- c:\program files\Opera

2009-08-11 21:33 . 2009-08-11 21:33 -------- dc----w- c:\program files\CrossLoop

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\program files\DVD Shrink

2009-08-11 16:35 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\NVUNINST.EXE

2009-08-10 00:30 . 2009-08-10 00:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Download Manager

2009-08-08 21:27 . 2009-08-08 21:27 -------- dc----w- c:\program files\LimeWire

2009-08-05 09:11 . 2004-08-03 23:56 204800 -c--a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 21:41 . 2009-08-03 20:30 -------- dc----w- c:\documents and settings\Harsh\Application Data\mp3rocket

2009-08-03 20:31 . 2009-08-03 20:30 -------- dc----w- c:\program files\MP3 Rocket

2009-08-03 04:21 . 2009-08-03 04:21 23320 -c--a-w- c:\windows\system32\PhysXDevice.dll

2009-08-03 01:50 . 2009-08-03 01:50 -------- dc----w- c:\program files\Sorian AI Mod

2009-07-29 21:36 . 2008-09-28 14:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\vlc

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\documents and settings\Harsh\Application Data\MozillaControl

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12

2009-07-29 21:21 . 2009-07-29 21:20 -------- dc----w- c:\program files\Graboid

2009-07-26 22:48 . 2008-10-02 19:35 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-26 22:35 . 2008-10-19 01:20 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-26 22:33 . 2009-07-26 22:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 22:32 . 2009-07-26 22:32 -------- dc----w- c:\program files\iPod

2009-07-26 22:32 . 2008-10-19 01:21 -------- dc----w- c:\program files\Common Files\Apple

2009-07-26 22:31 . 2009-07-26 22:31 -------- dc----w- c:\program files\Bonjour

2009-07-26 22:31 . 2008-12-26 21:36 -------- dc----w- c:\program files\QuickTime

2009-07-25 12:20 . 2008-10-02 19:35 -------- dc----w- c:\program files\NOS

2009-07-17 20:52 . 2008-09-27 21:08 68456 -c--a-w- c:\documents and settings\Harsh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2007-09-20 04:50 286208 -c--a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-26 22:30 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-26 20:50 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2007-09-20 04:59 915456 ------w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-03 23:56 95744 -c--a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-03 23:56 661504 -c--a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-03 23:56 517120 -c--a-w- c:\windows\system32\mqsnap.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_16.13.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-22 13:09 . 2009-09-22 13:09 16384 c:\windows\temp\Perflib_Perfdata_158.dat

+ 2009-05-19 20:51 . 2009-09-20 11:54 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

- 2009-05-19 20:51 . 2009-09-13 12:48 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

+ 2009-05-19 20:51 . 2009-09-20 11:54 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll

- 2009-05-19 20:51 . 2009-09-13 12:48 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll

+ 2007-09-20 04:35 . 2008-06-20 11:59 361600 c:\windows\system32\drivers\TCPIP.SYS

+ 2007-09-20 04:35 . 2008-06-20 11:59 361600 c:\windows\system32\dllcache\tcpip.sys

+ 2009-09-20 20:35 . 2009-09-18 04:40 170816 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

+ 2009-09-20 23:23 . 2009-09-20 23:23 408576 c:\windows\Installer\981d3c.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

"EVEREST AutoStart"="c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe" [2008-12-24 2159200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.23\RivaTuner.exe" [2009-02-15 2777088]

"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-07-20 714024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

"RGSC"=c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

"mount.exe"=c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe /z

"PSwitch"=c:\docume~1\Harsh\LOCALS~1\Temp\RarSFX0\App\ProxySwitcher.exe

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"CmUsbSound"=RunDll32 cmcnfgu.cpl,CMICtrlWnd

"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /install

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"RTHDCPL"=RTHDCPL.EXE

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Alcmtr"=ALCMTR.EXE

"AlcWzrd"=ALCWZRD.EXE

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"SoundMan"=SOUNDMAN.EXE

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MAM\mam.exe" /runcleanupscript

"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"e:\\Games\\UnrealTournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"24537:TCP"= 24537:TCP:vuze

"24537:UDP"= 24537:UDP:vuze1

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/26/2009 10:26 PM 64160]

R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/7/2008 3:17 PM 15976]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/12/2009 8:53 PM 36368]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/27/2008 8:35 PM 22784]

R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\kerneld.wnt [12/30/2008 11:25 PM 26224]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/12/2009 8:53 PM 335888]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [9/1/2009 7:53 PM 17792]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [9/28/2008 1:18 AM 26144]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/12/2009 8:53 PM 225296]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [1/31/2009 8:19 PM 37488]

S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [3/25/2009 12:35 PM 25472]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [9/12/2009 8:53 PM 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [9/12/2009 8:53 PM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVERESTDRIVER

*NewlyCreated* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-12-06 14:38]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.gamespot.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\documents and settings\Harsh\Application Data\Move Networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-22 18:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6b,15,45,50,47,ea,b4,ce,7d,5e,7e,12,06,78,44,cd,41,1b,1d,4f,f6,bc,04,

e1,ce,1e,1d,79,84,0c,d7,a8,c6,38,e6,85,5d,60,fe,ad,d8,1b,f1,45,a0,08,e6,00,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:87,8d,0f,e6,99,03,5b,33,19,70,fa,de,cf,5c,7d,98,0a,f7,43,26,0f,

bd,f2,27,ed,a1,ec,3c,95,3f,cf,f9,32,a5,23,3a,a9,bf,1d,4b,3b,70,d6,f1,26,85,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1676)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2009-09-22 18:37

ComboFix-quarantined-files.txt 2009-09-22 22:37

ComboFix2.txt 2009-09-18 17:22

ComboFix3.txt 2009-09-17 16:14

Pre-Run: 5,404,696,576 bytes free

Post-Run: 5,351,899,136 bytes free

351 --- E O F --- 2009-09-10 03:29

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:38:07 PM, on 9/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\dkservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\Program Files\Trend Micro\OfficeScan Client\Misc\xpupg.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [DeathAdder] "C:\Program Files\Razer\DeathAdder\razerhid.exe"

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.23\RivaTuner.exe" /S

O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKCU\..\Run: [PeerGuardian] "C:\Program Files\PeerGuardian2\pg2.exe"

O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Documents and Settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--

End of file - 7181 bytes

Link to post
Share on other sites

  • Staff

Hi,

Download the AntiVir uninstaller and Avira Reg Cleaner and save them to your desktop. Unzip both files to their own folder. Open the AvUninstXPeng folder. Close all programs including AntiVir, then double click on AvUnist.exe to run it. Click yes when asked if you want to remove AntiVir. When it is finished reboot your PC.

Open the RegistryCleaner folder and double click on the Registry Cleaner file. Click the Remove RegKey button then click Ok. When it is finished Reboot your PC again.

Next, run this Norton Removal Tool.

Restart your computer, run ComboFix again, and post its log.

-screen317

Link to post
Share on other sites

ComboFix 09-09-25.01 - Harsh 09/25/2009 19:21.4.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2700 [GMT -4:00]

Running from: c:\documents and settings\Harsh\Desktop\ComboFix.exe

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {9AC2629D-D77E-4A61-9E41-C3603E4B7582}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-23 20:04 . 2009-09-23 20:04 -------- dc----w- c:\program files\Uniblue

2009-09-20 23:23 . 2009-09-20 23:23 -------- dc----w- c:\program files\JoshMadison

2009-09-18 22:37 . 2009-09-18 22:37 -------- dc----w- c:\documents and settings\NetworkService\Application Data\Azureus

2009-09-18 21:31 . 2009-09-18 21:31 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-09-18 21:31 . 2009-09-18 21:31 -------- dc----w- c:\program files\DAEMON Tools Toolbar

2009-09-18 21:31 . 2009-09-20 20:38 -------- dc----w- c:\program files\DAEMON Tools Lite

2009-09-18 19:43 . 2009-09-18 19:43 -------- dc----w- C:\Downloads

2009-09-18 02:23 . 2009-09-18 21:53 -------- dc----w- c:\documents and settings\Harsh\Application Data\DAEMON Tools Lite

2009-09-17 23:41 . 2009-09-17 23:43 -------- dc----w- c:\program files\Spybot - Search & Destroy

2009-09-16 22:32 . 2009-09-16 22:32 -------- dc----w- c:\program files\Enigma Software Group

2009-09-16 20:47 . 2009-09-16 20:47 -------- dc----w- c:\documents and settings\Harsh\Application Data\Malwarebytes

2009-09-16 20:45 . 2009-09-10 18:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-16 20:45 . 2009-09-16 20:47 -------- dc----w- c:\program files\MAM

2009-09-16 20:45 . 2009-09-10 18:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-09-13 00:56 . 2009-05-07 07:04 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-13 00:54 . 2009-09-13 00:54 -------- dc----w- C:\VIRUS

2009-09-13 00:53 . 2009-07-20 16:00 72072 -c--a-w- c:\windows\system32\drivers\tmtdi.sys

2009-09-13 00:53 . 2009-07-20 16:00 335888 -c--a-w- c:\windows\system32\drivers\TM_CFW.sys

2009-09-13 00:22 . 2009-09-13 00:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\AVG8

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\documents and settings\Harsh\Application Data\FreeFixer

2009-09-12 23:57 . 2009-09-12 23:57 -------- dc----w- c:\program files\FreeFixer

2009-09-12 23:46 . 2009-09-13 00:33 -------- dc----w- c:\program files\Panda Security

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-12 23:42 . 2009-09-14 05:08 32 -csha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-12 23:15 . 2009-09-13 00:37 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 23:15 . 2009-09-12 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-12 22:04 . 2009-09-12 22:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\program files\Common Files\ParetoLogic

2009-09-12 21:42 . 2009-09-13 17:09 -------- dc----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-12 21:42 . 2009-09-12 21:42 -------- dc----w- c:\documents and settings\Harsh\Local Settings\Application Data\Downloaded Installations

2009-09-12 21:19 . 2009-09-12 21:19 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-04 00:02 . 2009-09-15 00:57 -------- dc----w- C:\alg

2009-09-04 00:02 . 2002-04-24 13:32 26832 -c--a-w- c:\windows\system\CTL3DV2.DLL

2009-09-03 18:07 . 2009-09-03 18:07 41872 -c--a-w- c:\windows\system32\xfcodec.dll

2009-09-02 12:57 . 2009-09-24 18:52 45 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences2.dat

2009-09-02 03:28 . 2009-09-02 03:28 -------- dc----w- c:\windows\system32\log

2009-09-02 03:27 . 2009-09-16 23:16 -------- dc----w- c:\program files\Trend Micro

2009-09-02 00:05 . 2009-09-02 00:31 -------- dc----w- C:\vcs5BGEffects

2009-09-02 00:05 . 2009-09-02 00:35 -------- dc----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-09-01 23:55 . 2009-09-01 23:55 -------- dc----w- C:\AV_LOGS

2009-09-01 23:53 . 2008-12-10 20:56 17792 -c--a-w- c:\windows\system32\drivers\vcsvad.sys

2009-09-01 23:53 . 2009-09-01 23:56 -------- dc----w- c:\program files\AV Vcs 7.0 GOLD

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Screaming Bee

2009-09-01 23:49 . 2009-09-01 23:49 -------- dc----w- c:\program files\Screaming Bee

2009-08-29 21:03 . 2009-09-03 14:47 -------- dc----w- c:\program files\TuneUpMedia

2009-08-29 21:03 . 2009-09-23 01:32 -------- dc----w- c:\documents and settings\Harsh\Application Data\TuneUpMedia

2009-08-29 21:03 . 2009-08-29 21:03 -------- dc----w- c:\documents and settings\All Users\Application Data\TuneUpMedia

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\TempDVD

2009-08-29 03:14 . 2009-08-29 03:14 -------- dc----w- C:\dvdsanta

2009-08-28 00:26 . 2009-08-28 00:26 164056 -c--a-w- c:\windows\Crazi Video Pro Uninstaller.exe

2009-08-27 01:34 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc----w- c:\program files\Creative

2009-08-27 01:33 . 2009-08-27 01:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{56E59A1F-0DC5-4811-98E4-BA033E048C84}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-25 23:19 . 2008-09-27 22:55 -------- dc----w- c:\program files\PeerGuardian2

2009-09-25 23:19 . 2008-10-04 23:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Xfire

2009-09-25 21:28 . 2009-05-03 23:24 190144 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-09-25 20:59 . 2009-06-24 21:07 138808 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-09-25 04:12 . 2008-09-28 03:49 -------- dc----w- c:\documents and settings\Harsh\Application Data\Azureus

2009-09-24 19:19 . 2008-10-07 20:30 38 -c--a-w- c:\documents and settings\Harsh\jagex_runescape_preferences.dat

2009-09-24 03:11 . 2008-09-27 22:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\mIRC

2009-09-23 23:56 . 2008-10-04 23:05 -------- dc----w- c:\program files\Xfire

2009-09-23 23:53 . 2008-09-27 22:40 -------- dc----w- c:\program files\mIRC

2009-09-23 01:31 . 2008-09-28 00:08 -------- dc----w- c:\documents and settings\Harsh\Application Data\LimeWire

2009-09-22 22:44 . 2008-09-27 23:01 -------- dc----w- c:\program files\RegScrubXP

2009-09-19 04:30 . 2008-09-27 22:00 -------- dc-h--w- c:\program files\InstallShield Installation Information

2009-09-18 22:51 . 2009-05-17 00:35 -------- dc----w- c:\documents and settings\Harsh\Application Data\Orbit

2009-09-18 17:02 . 2008-09-27 22:30 -------- dc----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-09-18 02:23 . 2008-09-27 23:55 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-09-17 23:46 . 2008-09-27 22:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-14 05:08 . 2009-09-12 23:42 32 -csha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-13 00:32 . 2009-01-13 02:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\id Software

2009-09-13 00:31 . 2009-04-30 02:08 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-12 22:05 . 2009-01-27 02:23 -------- dc----w- c:\program files\Lavasoft

2009-09-12 22:05 . 2008-09-27 22:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-10 15:48 . 2009-03-21 19:09 -------- dc----w- c:\program files\Microsoft Silverlight

2009-09-10 03:27 . 2009-04-25 00:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-29 21:03 . 2008-12-26 22:47 -------- dc----w- c:\program files\iTunes

2009-08-29 21:02 . 2008-09-28 03:48 -------- dc----w- c:\program files\Vuze

2009-08-29 03:14 . 2008-12-24 19:44 -------- dc----w- c:\documents and settings\Harsh\Application Data\DVD Flick

2009-08-29 03:14 . 2008-12-24 19:40 -------- dc----w- c:\program files\dvdSanta

2009-08-29 02:53 . 2008-10-09 01:50 -------- dc----w- c:\program files\DivX

2009-08-29 02:53 . 2009-07-11 04:52 -------- dc----w- c:\program files\Common Files\DivX Shared

2009-08-29 02:16 . 2009-07-14 03:40 -------- dc----w- c:\documents and settings\Harsh\Application Data\Hamachi

2009-08-28 01:35 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\Harsh\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\Common Files\River Past

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\documents and settings\All Users\Application Data\River Past G5

2009-08-28 00:26 . 2008-11-23 02:37 -------- dc----w- c:\program files\River Past

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-23 14:59 . 2008-09-27 22:24 -------- dc----w- c:\program files\AGEIA Technologies

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\program files\NVIDIA Corporation

2009-08-23 14:58 . 2009-08-23 14:58 -------- dc----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2009-08-22 20:50 . 2008-10-19 01:22 -------- dc----w- c:\documents and settings\Harsh\Application Data\Apple Computer

2009-08-20 00:02 . 2009-02-23 00:06 56324 -c-ha-w- c:\windows\system32\mlfcache.dat

2009-08-17 07:04 . 2009-08-17 07:04 2173472 -c--a-w- c:\windows\system32\nvcplui.exe

2009-08-17 07:04 . 2009-08-17 07:04 81920 -c--a-w- c:\windows\system32\nvwddi.dll

2009-08-17 07:03 . 2009-08-17 07:03 3170304 -c--a-w- c:\windows\system32\nvwss.dll

2009-08-17 07:03 . 2009-08-17 07:03 4026368 -c--a-w- c:\windows\system32\nvvitvs.dll

2009-08-17 07:03 . 2009-08-17 07:03 188416 -c--a-w- c:\windows\system32\nvmccss.dll

2009-08-17 07:03 . 2009-08-17 07:03 1286144 -c--a-w- c:\windows\system32\nvmobls.dll

2009-08-17 07:03 . 2009-08-17 07:03 3547136 -c--a-w- c:\windows\system32\nvgames.dll

2009-08-17 07:03 . 2009-08-17 07:03 4923392 -c--a-w- c:\windows\system32\nvdisps.dll

2009-08-17 07:03 . 2009-08-17 07:03 86016 -c--a-w- c:\windows\system32\nvmctray.dll

2009-08-17 07:03 . 2009-08-17 07:03 168004 -c--a-w- c:\windows\system32\nvsvc32.exe

2009-08-17 07:03 . 2009-08-17 07:03 143360 -c--a-w- c:\windows\system32\nvcolor.exe

2009-08-17 07:03 . 2009-08-17 07:03 13877248 -c--a-w- c:\windows\system32\nvcpl.dll

2009-08-17 07:02 . 2009-08-17 07:02 229376 -c--a-w- c:\windows\system32\nvmccs.dll

2009-08-17 04:57 . 2009-08-17 04:57 2189856 -c--a-w- c:\windows\system32\nvcuvid.dll

2009-08-17 04:57 . 2009-08-17 04:57 1706528 -c--a-w- c:\windows\system32\nvcuvenc.dll

2009-08-17 04:57 . 2009-08-17 04:57 1597690 -c--a-w- c:\windows\system32\nvdata.bin

2009-08-17 04:57 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\nvudisp.exe

2009-08-17 04:57 . 2009-01-18 03:16 10457088 -c--a-w- c:\windows\system32\nvoglnt.dll

2009-08-17 04:57 . 2009-01-18 03:16 868352 -c--a-w- c:\windows\system32\nvapi.dll

2009-08-17 04:57 . 2009-01-18 03:16 2002944 -c--a-w- c:\windows\system32\nvcuda.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcodins.dll

2009-08-17 04:57 . 2009-01-18 03:16 155648 -c--a-w- c:\windows\system32\nvcod.dll

2009-08-17 04:57 . 2008-09-17 13:55 7729568 -c--a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-08-17 04:57 . 2008-09-17 13:55 5845760 -c--a-w- c:\windows\system32\nv4_disp.dll

2009-08-14 17:36 . 2009-08-14 17:36 70936 -c--a-w- c:\windows\system32\PhysXLoader.dll

2009-08-13 18:34 . 2008-10-22 00:47 -------- dc----w- c:\program files\Opera

2009-08-11 21:33 . 2009-08-11 21:33 -------- dc----w- c:\program files\CrossLoop

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2009-08-11 19:45 . 2009-08-11 19:45 -------- dc----w- c:\program files\DVD Shrink

2009-08-11 16:35 . 2009-01-18 03:17 485920 -c--a-w- c:\windows\system32\NVUNINST.EXE

2009-08-10 00:30 . 2009-08-10 00:05 -------- dc----w- c:\documents and settings\Harsh\Application Data\Download Manager

2009-08-08 21:27 . 2009-08-08 21:27 -------- dc----w- c:\program files\LimeWire

2009-08-05 09:11 . 2004-08-03 23:56 204800 -c--a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 21:41 . 2009-08-03 20:30 -------- dc----w- c:\documents and settings\Harsh\Application Data\mp3rocket

2009-08-03 20:31 . 2009-08-03 20:30 -------- dc----w- c:\program files\MP3 Rocket

2009-08-03 04:21 . 2009-08-03 04:21 23320 -c--a-w- c:\windows\system32\PhysXDevice.dll

2009-08-03 01:50 . 2009-08-03 01:50 -------- dc----w- c:\program files\Sorian AI Mod

2009-07-29 21:36 . 2008-09-28 14:34 -------- dc----w- c:\documents and settings\Harsh\Application Data\vlc

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\documents and settings\Harsh\Application Data\MozillaControl

2009-07-29 21:21 . 2009-07-29 21:21 -------- dc----w- c:\program files\Mozilla ActiveX Control v1.7.12

2009-07-29 21:21 . 2009-07-29 21:20 -------- dc----w- c:\program files\Graboid

2009-07-17 20:52 . 2008-09-27 21:08 68456 -c--a-w- c:\documents and settings\Harsh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2007-09-20 04:50 286208 -c--a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-26 22:30 2060288 -c--a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-26 20:50 39424 -c--a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-03 17:09 . 2007-09-20 04:59 915456 ------w- c:\windows\system32\wininet.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\opera\program\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_16.13.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-09-27 23:55 . 2009-09-24 15:52 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

- 2008-09-27 23:55 . 2009-03-26 21:58 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

- 2009-08-16 18:49 . 2009-08-16 18:49 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll

+ 2009-05-19 20:51 . 2009-09-24 18:52 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

- 2009-05-19 20:51 . 2009-09-13 12:48 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll

+ 2009-05-19 20:51 . 2009-09-24 18:52 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll

- 2009-05-19 20:51 . 2009-09-13 12:48 81920 c:\windows\.jagex_cache_32\runescape\jaggl.dll

+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2007-09-20 04:35 . 2008-06-20 11:59 361600 c:\windows\system32\drivers\TCPIP.SYS

+ 2007-09-20 04:35 . 2008-06-20 11:59 361600 c:\windows\system32\dllcache\tcpip.sys

+ 2009-09-20 20:35 . 2009-09-18 04:40 170816 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

+ 2009-09-20 23:23 . 2009-09-20 23:23 408576 c:\windows\Installer\981d3c.msi

+ 2009-09-23 02:38 . 2009-09-23 02:38 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll

+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 02:38 . 2009-09-23 02:38 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

- 2009-08-16 18:49 . 2009-08-16 18:49 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll

+ 2009-09-23 03:07 . 2009-09-23 03:07 24721920 c:\windows\Installer\2e53075.msi

+ 2009-09-23 03:07 . 2009-09-23 03:07 15699216 c:\windows\Installer\{BBF0A67B-5DBA-452F-9D2E-6F168BC226E4}\shift.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

"EVEREST AutoStart"="c:\documents and settings\Harsh\Desktop\Everest-Ultimate-Edition-4.60.1601-hardal\everest.exe" [2008-12-24 2159200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.23\RivaTuner.exe" [2009-02-15 2777088]

"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-07-20 714024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

"RGSC"=c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

"mount.exe"=c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe /z

"PSwitch"=c:\docume~1\Harsh\LOCALS~1\Temp\RarSFX0\App\ProxySwitcher.exe

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" -silent

"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"CmUsbSound"=RunDll32 cmcnfgu.cpl,CMICtrlWnd

"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /install

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"

"RTHDCPL"=RTHDCPL.EXE

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"Alcmtr"=ALCMTR.EXE

"AlcWzrd"=ALCWZRD.EXE

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"SoundMan"=SOUNDMAN.EXE

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MAM\mam.exe" /runcleanupscript

"SpyHunter Security Suite"=c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"e:\\Games\\UnrealTournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\River Past\\Crazi Video\\CraziVideo.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"24537:TCP"= 24537:TCP:vuze

"24537:UDP"= 24537:UDP:vuze1

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/26/2009 10:26 PM 64160]

R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [12/7/2008 3:17 PM 15976]

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/12/2009 8:53 PM 36368]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [9/27/2008 8:35 PM 22784]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/12/2009 8:53 PM 335888]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [9/1/2009 7:53 PM 17792]

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [9/28/2008 1:18 AM 26144]

S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/12/2009 8:53 PM 225296]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [1/31/2009 8:19 PM 37488]

S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]

S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [3/25/2009 12:35 PM 25472]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [9/12/2009 8:53 PM 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [9/12/2009 8:53 PM 652552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVERESTDRIVER

*NewlyCreated* - PGFILTER

*NewlyCreated* - PNKBSTRB

*Deregistered* - EverestDriver

*Deregistered* - pgfilter

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2008-12-06 14:38]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = about:blank

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.gamespot.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\documents and settings\Harsh\Application Data\Move Networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Harsh\Application Data\Mozilla\Firefox\Profiles\iocfi8gf.default\extensions\tcastv1@tom.com\plugins\nptcast40.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-25 19:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6b,15,45,50,47,ea,b4,ce,7d,5e,7e,12,06,78,44,cd,41,1b,1d,4f,f6,bc,04,

e1,ce,1e,1d,79,84,0c,d7,a8,c6,38,e6,85,5d,60,fe,ad,d8,1b,f1,45,a0,08,e6,00,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1960408961-1647877149-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:87,8d,0f,e6,99,03,5b,33,19,70,fa,de,cf,5c,7d,98,0a,f7,43,26,0f,

bd,f2,27,ed,a1,ec,3c,95,3f,cf,f9,32,a5,23,3a,a9,bf,1d,4b,3b,70,d6,f1,26,85,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1856)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2009-09-25 19:25

ComboFix-quarantined-files.txt 2009-09-25 23:25

ComboFix2.txt 2009-09-22 22:37

ComboFix3.txt 2009-09-18 17:22

ComboFix4.txt 2009-09-17 16:14

Pre-Run: 5,283,901,440 bytes free

Post-Run: 5,244,694,528 bytes free

381 --- E O F --- 2009-09-10 03:29

Link to post
Share on other sites

  • Staff

Hi,

The entries are gone. B)

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

It looks to me like everything is stable thanks to you. B) IE now works without a problem after I used ComboFix. Here is the F-Secure Online Scanner report:

Scanning Report

Monday, September 28, 2009 15:30:20 - 15:54:27

Computer name: BLADE

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ E:\ F:\

3 malware found

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 48504

* System: 3914

* Not scanned: 7

Actions:

* Disinfected: 3

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\DOCUMENTS AND SETTINGS\HARSH\LOCAL SETTINGS\TEMP\ETILQS_RVQPGVLO06XFCAWVEIXY

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Trend Micro OfficeScan Client

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

SpyHunter

Spybot - Search & Destroy

HijackThis 2.0.2

TuneUp Companion 1.5.9

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 9.1.3

``````````````````````````````

Process Check:

objlist.exe by Laurent

Trend Micro OfficeScan Client pccntmon.exe

Trend Micro OfficeScan Client ntrtscan.exe

Trend Micro OfficeScan Client tmlisten.exe

Trend Micro OfficeScan Client TmPfw.exe

Trend Micro OfficeScan Client CNTAoSMgr.exe

Trend Micro OfficeScan Client tmproxy.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.