Basically while I browse firefox i get random popups and from spybot it seems it is something connected with "tinybar" since i can't remove it

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:57 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe
O1 - Hosts: 85.14.219.81 nProtect.lineage2.com
O1 - Hosts: 85.14.219.81 l2authd.lineage2.com
O1 - Hosts: 85.14.219.81 l2testauthd.lineage2.com
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: efqpnc.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7122 bytes

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi voolak and welcome to Safer Networking :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

Next:

In the interim I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Start/Run HiJackThis and click on Open the Misc Tools section


Click Open Uninstall Manager...
Click Save list... and save it to your Desktop.
Copy and paste the file uninstall_list.txt into your next reply.

when i press save list the HJT program just closes

Hi :)

when i press save list the HJT program just closes
Not a problem, we can address this shortly.

In the meantime I have a few questions first If I may, before we proceed:


You have a application installed called AdminWorks Management are you aware of this and or did you install this yourself ?
Is this Computer used for either business related activities or just for personal use only ?

I never heard of that application and this computer is for personal use.

Hi :)


I never heard of that application and this computer is for personal use.
OK the application I mentioned: AdminWorks Management

A cost effective IT management software tool for small and medium size businesses.
How old is this computer and how long have you owned it ? And or is this a second hand computer that once belonged to a Business ?

Next:

Please download this tool (http://go.microsoft.com/fwlink/?linkid=52012) from Microsoft.
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.
Next:


Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.Please make sure that RSIT.exe is on the your Desktop before running the application.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:


Answer to my query.
MGADiag results.
Both RSIT Logs.

This computer is a little over a year old and I bought it new. The computer never belonged to a business.

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-VW3P7-YHQQ6-C7RYM
Windows Product Key Hash: ZcgwvstIxQC+DhtQDO8/GmF+gus=
Windows Product ID: 76487-OEM-2211906-00100
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {BF7D64E5-0520-465B-B18A-6FA38AA467DE}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.8.31.9
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.8.31.9
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 1.6.21.0
Signed By: N/A, hr = 0x80096010
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BF7D64E5-0520-465B-B18A-6FA38AA467DE}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C7RYM</PKey><PID>76487-OEM-2211906-00100</PID><PIDType>2</PIDType><SID>S-1-5-21-1269103037-3874296902-2670244853</SID><SYSTEM><Manufacturer>Acer </Manufacturer><Model>Aspire M5100 </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>R02-A1</Version><SMBIOSVersion major="2" minor="5"/><Date>20071107000000.000000+000</Date><SLPBIOS>AcerSystem ,AcerSystem </SLPBIOS></BIOS><HWID>AA71337F01842E78</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Acer Incorporated</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.9"/><File Name="WgaLogon.dll" Version="1.8.31.9"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1C4D4:Acer Incorporated
Marker string from OEMBIOS.DAT: AcerSystem ,AcerSystem

OEM Activation 2.0 Data-->
N/A


log.txt:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Divilov at 2009-02-18 10:08:56
Microsoft Windows XP Professional Service Pack 3
System drive C: has 42 GB (57%) free of 73 GB
Total RAM: 2047 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:21 AM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Divilov\Desktop\RSIT.exe
C:\Documents and Settings\Divilov\Desktop\Divilov.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe
O1 - Hosts: 85.14.219.81 nProtect.lineage2.com
O1 - Hosts: 85.14.219.81 l2authd.lineage2.com
O1 - Hosts: 85.14.219.81 l2testauthd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C4854EE-B927-4E42-8993-761FCC84DE9C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {b6290ba4-c361-3019-cfa4-7a67d6d322b7} - {7b223d6d-76a7-4afc-9103-163c4ab0926b} - C:\WINDOWS\system32\srymmm.dll
O2 - BHO: (no name) - {9460EDC4-6A53-43C0-B020-B850B920E7AD} - C:\WINDOWS\system32\nnnlkJYs.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [5cdabd9a] rundll32.exe "C:\WINDOWS\system32\bsvqskyn.dll",b
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: srymmm.dll
O20 - Winlogon Notify: hgGabBtq - hgGabBtq.dll (file missing)
O20 - Winlogon Notify: qoMdDwUl - qoMdDwUl.dll (file missing)
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8180 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C4854EE-B927-4E42-8993-761FCC84DE9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b223d6d-76a7-4afc-9103-163c4ab0926b}]
C:\WINDOWS\system32\srymmm.dll [2009-02-17 123392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9460EDC4-6A53-43C0-B020-B850B920E7AD}]
C:\WINDOWS\system32\nnnlkJYs.dll [2009-02-14 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\WINDOWS\system32\eDStoolbar.dll [2007-06-24 106496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"=C:\Acer\LANScope Agent\awtray.exe [2007-05-22 1459992]
"RTHDCPL"=RTHDCPL.EXE []
"nwiz"=nwiz.exe /install []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-03-20 86960]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-08-09 221184]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-03-01 1443072]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"5cdabd9a"=C:\WINDOWS\system32\bsvqskyn.dll [2009-02-18 74752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"DAEMON Tools Pro Agent"=C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2007-09-06 136136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="srymmm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
Ati2evxx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hgGabBtq]
hgGabBtq.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMdDwUl]
qoMdDwUl.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\nnnlkJYs
"notification packages"=
scecli
scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe"="C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe"="C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YahooMessenger.exe"="C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YServer.exe"="C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Program Files\Combat Arms\Combat Arms\NMService.exe"="C:\Program Files\Combat Arms\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"="C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe"="C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (CLI)"
"C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe"="C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (SRV)"
"C:\Downloads\Red Faction\rf.exe"="C:\Downloads\Red Faction\rf.exe:*:Disabled:Red Faction"
"C:\Program Files\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Program Files\Combat Arms\NMService.exe"="C:\Program Files\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Outspark\Blackshot\System\BlackShot.exe"="C:\Program Files\Outspark\Blackshot\System\BlackShot.exe:*:Enabled:BlackShot"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-02-18 10:08:56 ----D---- C:\rsit
2009-02-18 10:07:15 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-02-18 00:01:51 ----SH---- C:\WINDOWS\system32\nyksqvsb.ini
2009-02-18 00:01:39 ----A---- C:\WINDOWS\system32\bsvqskyn.dll
2009-02-17 23:58:41 ----A---- C:\WINDOWS\system32\srymmm.dll
2009-02-17 23:58:39 ----A---- C:\WINDOWS\system32\mwqawlhb.dll
2009-02-17 12:01:43 ----A---- C:\WINDOWS\system32\onfxaw.dll
2009-02-17 12:01:39 ----A---- C:\WINDOWS\system32\nsavdfgo.dll
2009-02-17 11:58:40 ----SH---- C:\WINDOWS\system32\fnccllap.ini
2009-02-17 00:01:42 ----SH---- C:\WINDOWS\system32\uspkqrhi.ini
2009-02-16 23:58:44 ----A---- C:\WINDOWS\system32\jxxfip.dll
2009-02-16 23:58:39 ----A---- C:\WINDOWS\system32\xfiffqoe.dll
2009-02-16 12:01:54 ----SH---- C:\WINDOWS\system32\qdvwfvgm.ini
2009-02-16 11:58:52 ----A---- C:\WINDOWS\system32\yuenmi.dll
2009-02-16 11:58:50 ----A---- C:\WINDOWS\system32\gptgevuh.dll
2009-02-16 00:01:55 ----A---- C:\WINDOWS\system32\uuyijq.dll
2009-02-16 00:01:51 ----A---- C:\WINDOWS\system32\rpgjultp.dll
2009-02-15 23:58:57 ----SH---- C:\WINDOWS\system32\ftnniuew.ini
2009-02-15 16:40:57 ----D---- C:\Program Files\ERUNT
2009-02-15 15:52:51 ----ASH---- C:\WINDOWS\system32\sYJklnnn.ini2
2009-02-15 14:05:44 ----A---- C:\WINDOWS\system32\khfFULcC.dll
2009-02-15 13:50:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-15 12:00:15 ----A---- C:\WINDOWS\system32\efqpnc.dll
2009-02-15 12:00:11 ----A---- C:\WINDOWS\system32\nfdentsu.dll
2009-02-15 00:01:01 ----A---- C:\WINDOWS\system32\xgpibs.dll
2009-02-15 00:00:56 ----A---- C:\WINDOWS\system32\ryyrqjuc.dll
2009-02-14 12:00:17 ----A---- C:\WINDOWS\system32\wfhyei.dll
2009-02-14 12:00:12 ----A---- C:\WINDOWS\system32\qobmpsce.dll
2009-02-14 11:57:12 ----ASH---- C:\WINDOWS\system32\sYJklnnn.ini
2009-02-14 11:57:01 ----A---- C:\WINDOWS\system32\nnnlkJYs.dll
2009-02-14 11:51:59 ----A---- C:\WINDOWS\system32\rqRIyYoO.dll
2009-02-14 11:40:23 ----D---- C:\Documents and Settings\Divilov\Application Data\Boomzap
2009-02-14 10:30:46 ----A---- C:\WINDOWS\system32\shdxhtgj.dll
2009-02-14 10:30:27 ----ASH---- C:\WINDOWS\system32\cLkjkUtv.ini
2009-02-14 10:25:14 ----A---- C:\WINDOWS\system32\ljJDSLff.dll
2009-02-14 09:40:56 ----D---- C:\Program Files\MSECache
2009-02-14 09:37:58 ----A---- C:\WINDOWS\system32\pdfmonnt.dll
2009-02-14 09:35:59 ----D---- C:\Documents and Settings\Divilov\Application Data\Bullzip
2009-02-13 18:50:29 ----D---- C:\Documents and Settings\Divilov\Application Data\Dark Sector
2009-02-12 20:28:38 ----D---- C:\Program Files\Spiderweb Software
2009-02-12 20:28:12 ----D---- C:\Documents and Settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17:03 ----D---- C:\Documents and Settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07:06 ----D---- C:\Program Files\OpenAL
2009-02-11 21:32:04 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-10 20:07:40 ----D---- C:\Documents and Settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 20:00:26 ----D---- C:\Program Files\Crayon Physics Deluxe
2009-02-10 18:41:52 ----A---- C:\WINDOWS\WININIT.INI
2009-02-08 22:14:46 ----D---- C:\Documents and Settings\All Users\Application Data\STDUConverter
2009-02-08 21:57:51 ----D---- C:\Documents and Settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19:30 ----D---- C:\Documents and Settings\Divilov\Application Data\Xfire
2009-02-08 19:19:26 ----D---- C:\Program Files\Xfire
2009-02-06 19:17:01 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2009-02-06 19:17:01 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-02-06 19:17:00 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-02-06 19:16:59 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-02-06 19:16:59 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-02-06 19:16:58 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2009-02-06 19:16:58 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-02-06 19:16:57 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-02-06 19:16:57 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-02-06 19:16:56 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2009-02-06 19:16:55 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2009-02-06 19:16:55 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2009-02-06 19:16:54 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-02-04 17:48:13 ----D---- C:\Documents and Settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57:01 ----D---- C:\CFLog
2009-02-03 22:53:02 ----D---- C:\Program Files\G4box
2009-02-03 17:17:10 ----D---- C:\WINDOWS\system32\AGEIA
2009-02-03 17:17:10 ----D---- C:\Program Files\AGEIA Technologies
2009-02-01 12:20:30 ----HD---- C:\BJPrinter
2009-02-01 12:20:25 ----A---- C:\WINDOWS\system32\CNMVS5y.DLL
2009-02-01 12:20:25 ----A---- C:\WINDOWS\system32\CNMLM5y.DLL
2009-02-01 09:54:49 ----D---- C:\Program Files\DOSBox-0.70
2009-01-30 00:34:11 ----D---- C:\Documents and Settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33:54 ----D---- C:\Program Files\Eltima Software
2009-01-29 23:53:36 ----A---- C:\WINDOWS\system32\57f979e4-.txt
2009-01-29 23:53:16 ----ASH---- C:\WINDOWS\system32\lVwaccdd.ini
2009-01-28 09:57:21 ----A---- C:\svf_info.txt
2009-01-26 13:39:36 ----A---- C:\WINDOWS\system32\zlib.dll
2009-01-22 20:17:46 ----A---- C:\WINDOWS\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2009-02-18 10:09:13 ----D---- C:\Documents and Settings\Divilov\Application Data\uTorrent
2009-02-18 10:08:56 ----D---- C:\WINDOWS\Prefetch
2009-02-18 10:08:43 ----D---- C:\WINDOWS\temp
2009-02-18 10:07:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-18 10:05:10 ----D---- C:\Program Files\Mozilla Firefox
2009-02-18 09:56:51 ----D---- C:\Program Files\JDown
2009-02-18 09:55:28 ----D---- C:\Downloads
2009-02-18 09:03:00 ----AD---- C:\WINDOWS\system32\drivers
2009-02-18 09:01:06 ----A---- C:\RTHDCPL_Dump.txt
2009-02-18 09:01:02 ----D---- C:\WINDOWS
2009-02-18 09:00:12 ----AD---- C:\WINDOWS\system32
2009-02-18 08:59:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-17 20:34:49 ----D---- C:\Program Files
2009-02-17 17:18:45 ----D---- C:\Invision
2009-02-16 18:19:45 ----HD---- C:\WINDOWS\inf
2009-02-16 10:58:41 ----A---- C:\WINDOWS\matlab.ini
2009-02-15 16:41:47 ----D---- C:\WINDOWS\ERDNT
2009-02-15 14:48:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 14:41:45 ----SHD---- C:\WINDOWS\Installer
2009-02-15 14:41:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-15 14:02:59 ----SD---- C:\WINDOWS\Tasks
2009-02-14 15:08:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-14 11:48:17 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-02-13 18:21:23 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-13 08:56:27 ----AD---- C:\GUIDE
2009-02-12 10:07:06 ----A---- C:\WINDOWS\system32\wrap_oal.dll
2009-02-12 10:07:06 ----A---- C:\WINDOWS\system32\OpenAL32.dll
2009-02-11 21:32:03 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 21:31:59 ----A---- C:\WINDOWS\imsins.BAK
2009-02-11 21:31:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-11 21:31:19 ----D---- C:\Program Files\Internet Explorer
2009-02-10 19:40:38 ----D---- C:\WINDOWS\WinSxS
2009-02-10 19:40:38 ----D---- C:\WINDOWS\repair
2009-02-10 17:34:01 ----D---- C:\Program Files\Mozilla Thunderbird
2009-02-10 12:35:19 ----D---- C:\WINDOWS\SxsCaPendDel
2009-02-10 00:03:57 ----D---- C:\DVDVideoSoft
2009-02-09 10:49:54 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-02-09 10:47:10 ----RSD---- C:\WINDOWS\Fonts
2009-02-08 23:03:55 ----D---- C:\Program Files\Common Files
2009-02-06 21:37:19 ----D---- C:\Program Files\Trillian
2009-02-06 21:24:44 ----D---- C:\WINDOWS\Microsoft.NET
2009-02-06 21:24:35 ----RSD---- C:\WINDOWS\assembly
2009-02-06 19:17:03 ----D---- C:\WINDOWS\system32\DirectX
2009-02-06 19:09:58 ----D---- C:\WINDOWS\Help
2009-02-06 19:09:57 ----D---- C:\WINDOWS\nview
2009-02-06 19:03:34 ----D---- C:\WINDOWS\system32\XPSViewer
2009-02-06 19:03:29 ----D---- C:\WINDOWS\system32\en-US
2009-02-06 19:02:45 ----AD---- C:\i386
2009-02-06 18:57:44 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-02-03 18:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-01 09:28:23 ----D---- C:\WINDOWS\Registration
2009-02-01 09:28:18 ----D---- C:\WINDOWS\system32\NtmsData
2009-01-31 18:45:13 ----SD---- C:\Documents and Settings\Divilov\Application Data\Microsoft
2009-01-30 14:27:58 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-26 12:27:23 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-01-23 01:01:48 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-01-23 01:01:47 ----A---- C:\WINDOWS\system32\pbsvc.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-03-01 29704]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-03-01 54280]
R1 OsaFsLoc;OsaFsLoc; \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-09-23 279712]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-03-01 39944]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; \??\C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; \??\C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-03-01 71176]
R2 int15;int15; \??\C:\WINDOWS\system32\drivers\int15.sys []
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-09-23 25888]
R2 netlimiter;netlimiter; \??\C:\WINDOWS\system32\drivers\netlimiter.sys []
R2 netlock;netlock; \??\C:\WINDOWS\system32\drivers\netlock.sys []
R2 osaio;osaio; \??\C:\WINDOWS\system32\drivers\osaio.sys []
R2 osanbm;osanbm; \??\C:\WINDOWS\system32\drivers\osanbm.sys []
R2 tvicport;tvicport; \??\C:\WINDOWS\system32\drivers\tvicport.sys []
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-03-01 30728]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-12-20 4637696]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2007-07-20 6144]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-17 33792]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys []
S3 AMDPCI;AMDPCI; \??\C:\DOCUME~1\Divilov\LOCALS~1\Temp\AMDPCI.sys []
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-14 2301440]
S3 au6mplro;au6mplro; C:\WINDOWS\system32\drivers\au6mplro.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 FStarForce;FStarForce; C:\WINDOWS\system32\DRIVERS\FStarForce.sys [2009-01-01 8192]
S3 npkcrypt;npkcrypt; \??\C:\Program Files\Lineage II\system\npkcrypt.sys []
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys []
S3 psdfilter;psdfilter; \??\C:\WINDOWS\system32\Drivers\psdfilter.sys []
S3 psdvdisk;psdvdisk; \??\C:\WINDOWS\system32\Drivers\psdvdisk.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WINIO;WINIO; \??\C:\WINDOWS\system32\winio.sys []
S3 XDva072;XDva072; \??\C:\WINDOWS\system32\XDva072.sys []
S3 XDva074;XDva074; \??\C:\WINDOWS\system32\XDva074.sys []
S3 XDva123;XDva123; \??\C:\WINDOWS\system32\XDva123.sys []
S3 XDva214;XDva214; \??\C:\WINDOWS\system32\XDva214.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcerMemUsageCheckService;Memory Check Service; C:\Acer\Empowering Technology\ePerformance\MemCheck.exe [2006-09-14 28672]
R2 AWService;AdminWorks Agent X6; C:\Acer\LANScope Agent\awServ.exe [2007-04-26 75032]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]
R2 LockServ;LockServ; C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-06-28 520192]
R2 matlabserver;MATLAB Server; C:\MATLAB\webserver\bin\win32\matlabserver.exe [2004-08-16 536576]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-01-23 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-01-26 202032]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-14 479232]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl; C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-03-01 19200]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt:

info.txt logfile of random's system information tool 1.05 2009-02-18 10:09:23

======Uninstall list======

-->MsiExec /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD0C9330-E89A-4520-9A47-FE01366D5633}\setup.exe" xxxanything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eAcoustics Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EC4EE3-ED7D-4DCD-86DC-29ACF0B122E9}\setup.exe" -l0x9 -removeonly
Acer eDataSecurity Management 2.0.4093-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{4AD13F68-CADA-4C6B-9759-C33753F89908} /l1033
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDStbmngr.exe UNINSTALL 1
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7057702F-6D71-4F30-8000-9E72BC771887}\setup.exe" -l0x9 -removeonly
Acer eProtection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9BB218C-2D4B-4FF4-97E2-2C7E3D1B2679}\setup.exe" -l0x9
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}\setup.exe" -l0x9 -removeonly
Acer LANScope Agent-->C:\Program Files\InstallShield Installation Information\{163D5967-BA25-4D4F-9EC6-8410888C117F}\setup.exe -runfromtemp -l0x0409
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoHotkey 1.0.47.06-->C:\Program Files\AutoHotkey\uninst.exe
Avernum 5-->MsiExec.exe /X{47273CEF-C70E-40E9-80DE-FA9BE55AD1BB}
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch-->C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cross Fire En-->"C:\Program Files\G4box\CrossFire\unins000.exe"
eMule-->"C:\Program Files\eMule\Uninstall.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Smart Security-->MsiExec.exe /I{6ECB944F-D027-4E8A-9906-70E77C005AD5}
Fraps (remove only)-->"C:\Program Files\Fraps\uninstall.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\Youtube Converter\unins000.exe"
HijackThis 2.0.2-->"C:\Documents and Settings\Divilov\Desktop\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
MATLAB Family of Products Release 14-->C:\MATLAB\uninstall\uninstall.exe C:\MATLAB\
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.19)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.10.17-->MsiExec.exe /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
OCA Client history tool install-->"C:\WINDOWS\$UninstallOCA-X86Fre-ENU$\spuninst\spuninst.exe"
OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Sony Vegas Pro 8.0-->MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SWF & FLV Player 3.0 (build 3.0.33.5106)-->"C:\Program Files\Eltima Software\SWF & FLV Player\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Longest Journey-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0280F0D8-1542-4DAA-913C-8529E2A3835D}\Setup.exe" -l0x9
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VentriloMIX-->C:\Program Files\VentriloMIX\Uninstal.exe
VeohTV BETA-->C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
VobSub v2.23 (Remove Only)-->"C:\Program Files\Xvid\VobSub\uninstall.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Hosts File======

127.0.0.1 localhost
85.14.219.81 nProtect.lineage2.com
85.14.219.81 l2authd.lineage2.com
85.14.219.81 l2testauthd.lineage2.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com

======Security center information======

AV: ESET Smart Security 3.0
FW: ESET Personal firewall

System event log

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 7384
Source Name: Service Control Manager
Time Written: 20090112074050.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 7383
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 7382
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7035
Message: The Application Layer Gateway Service service was successfully sent a start control.

Record Number: 7381
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 7380
Source Name: Service Control Manager
Time Written: 20090112074044.000000-300
Event Type: information
User:

Application event log

Computer Name: ACER-AD993BA82B
Event Code: 1
Message:
Record Number: 1738
Source Name: avg8emc
Time Written: 20080902124112.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 4
Message: The LightScribe Service started successfully.

Record Number: 1737
Source Name: LightScribeService
Time Written: 20080902124105.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 0
Message: Service started successfully.

Record Number: 1736
Source Name: AcerMemUsageCheckService
Time Written: 20080902124058.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 1735
Source Name: SecurityCenter
Time Written: 20080902080304.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 32068
Message: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Record Number: 1734
Source Name: Microsoft Fax
Time Written: 20080902080300.000000-240
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\MATLAB\bin\win32;;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32\wbem;
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Hi :)


This computer is a little over a year old and I bought it new. The computer never belonged to a business.
Fine :bigthumb:

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Disable LockServ:

We need to this otherwise it will interfere with the malware removal process.


Open Notepad.
Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK

@Echo Off
SC Stop LockServ
SC Config LockServ start= disabled
Del %0

Go to File >> Save As
Save File name as "Disable.bat" <-- Make sure to include the quotes.
Change Save as Type to All Files and save the file to your Desktop.
It should look like this: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/Disable.gif

Now double click on the desktop Disable.bat to run the batch file. It will self-delete when completed.

Then Reboot(restart) your computer.

Note: We will re-enable this when I give the all clear.

Next:

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule

Please uninstall this as per the Safer Networking guidelines outlined here (http://forums.spybot.info/showpost.php?p=25290&postcount=4).


Next:

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Alternate download link (http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html).


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:

Launch Malwarebytes' Anti-Malware
Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Next:

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here (http://www.bleepingcomputer.com/forums/topic114351.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:


How is you computer performing now, any other symptoms and or problems encountered?
Malwarebytes' Anti-Malware Log.
ComboFix Log.
A new HijackThis Log.

Working good so far thanks and should I always use Malwarebytes' Anti-Malware since it found more malware than spybot?



Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 3

2/19/2009 8:48:18 AM
mbam-log-2009-02-19 (08-48-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 225263
Time elapsed: 40 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnlkJYs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pkuhtrym.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gseilp.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cdabd9a (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlkjys -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlkjys -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\ (Hijack.Tray) -> Bad: (C:\DOCUME~1\Divilov\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gseilp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnlkJYs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sYJklnnn.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sYJklnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pkuhtrym.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\myrthukp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\99PAU0I4\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\winsinstall[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\apstpldr.dll[3].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\ZY4W780C\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\ZY4W780C\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP302\A0100044.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP303\A0100941.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP303\A0100942.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP304\A0102332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP304\A0102378.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP305\A0102574.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP305\A0102624.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP307\A0102874.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP307\A0102875.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efqpnc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frsvxa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gptgevuh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFULcC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcantqbt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJDSLff.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nfdentsu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsavdfgo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onfxaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owrbqmpl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qobmpsce.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpgjultp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIyYoO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryyrqjuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\srymmm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uuyijq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wfhyei.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgpibs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuenmi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwqawlhb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdxhtgj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




ComboFix 09-02-18.01 - Divilov 2009-02-19 8:58:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1498 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cLkjkUtv.ini
c:\windows\system32\fnccllap.ini
c:\windows\system32\ftnniuew.ini
c:\windows\system32\ieltenth.ini
c:\windows\system32\jxxfip.dll
c:\windows\system32\lVwaccdd.ini
c:\windows\system32\nyksqvsb.ini
c:\windows\system32\qdvwfvgm.ini
c:\windows\system32\uspkqrhi.ini
c:\windows\system32\xfiffqoe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 07:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 07:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 16:40 . 2009-02-15 16:41 <DIR> d-------- c:\program files\ERUNT
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll
2009-01-22 20:17 . 2009-01-22 20:17 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 03:18 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-18 14:56 --------- d-----w c:\program files\JDown
2009-02-18 01:34 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 19:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-14 20:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gseilp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-06-08 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-06-06 90112]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
S3 XDva072;XDva072;\??\c:\windows\system32\XDva072.sys --> c:\windows\system32\XDva072.sys [?]
S3 XDva074;XDva074;\??\c:\windows\system32\XDva074.sys --> c:\windows\system32\XDva074.sys [?]
S3 XDva123;XDva123;\??\c:\windows\system32\XDva123.sys --> c:\windows\system32\XDva123.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5C4854EE-B927-4E42-8993-761FCC84DE9C} - (no file)
Notify-hgGabBtq - hgGabBtq.dll
Notify-qoMdDwUl - qoMdDwUl.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 09:01:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:86,43,47,e4,cc,9f,cb,15,21,3b,27,e1,7a,44,c1,81,4f,33,54,1d,a5,
4d,7b,86,33,13,b3,0b,19,0b,de,64,1e,da,d5,93,27,96,0c,2f,97,b9,65,03,1f,4c,\
"rkeysecu"=hex:09,98,37,69,d4,01,de,09,79,c4,c0,25,15,5a,fb,bb

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\pmkofuao.dll"
"ThreadingModel"="free"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\utdrwe.dll"
"ThreadingModel"="free"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Empowering Technology\eLock\LockServ.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\windows\system32\nvsvc32.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\PnkBstrA.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-19 9:04:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 14:04:33

Pre-Run: 42,520,207,360 bytes free
Post-Run: 42,817,437,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
261 --- E O F --- 2009-02-12 02:33:53





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:38 AM, on 2/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: gseilp.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6809 bytes

so now how should I enable LockServ?

Hi,

I have bad news I'm afraid :sad:

One or more of the identified infections is a severe Rootkit.Agent (http://research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.Agent.WI&threatid=205568)

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords. In fact it will most likely will never be secure again.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

First off didn't you disable LockServ, am I suppose to turn it back on???

And I would like to try to remove the rootkit

Hi :)

OK here is the situation as I see it. I will respect your decision for a attempted malware removal but I will emphasis that I give no guarantee that your computer will ever again be deemed not a online security risk.

I highly suggest you think further upon this and the possible ramifications I out-lined in my last post. Neither I or Safer Networking will be held accountable if at some point in the future the worst case scenario occurs as I have gave both my advice and warning to try and educate your good self about the serious nature of this malware infection.

Next:


First off didn't you disable LockServ, am I suppose to turn it back on???
At this time it appears the aforementioned application is not fully disabled and will still hinder anything I ask you to do. Plus actually this application is not particularly good at all at what it claims to do. Also upon advice from a colleague of mine who is a well respected individual within the Anti-Malware community plus a Microsoft MVP (http://mvp.support.microsoft.com/), the best course of action is to actually uninstall this fully as follows:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Acer eLock Management(LockServ)

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Next:

Please re-download ComboFix, if prompted with ComboFix.exe already exists, allow it to download and replace the existing exe file:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

For your particular installed application read >>here<< (http://kb.eset.com/esetkb/index?page=content&id=SOLN548). Please make you do this as last time ComboFix was run your Eset Smart Security was active. If you do not understand fully how to temporally disable, stop straight away any further actions! and inform myself and I will provide advice how to do so.


Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

When completed the above, please post back the following in the order asked for:


Any problems encountered and or further symptoms at all ?
ComboFix Log.
A new HijackThis Log.

no problems or symptoms.



ComboFix 09-02-19.01 - Divilov 2009-02-21 9:52:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1591 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Outdated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-20 23:34 . 2009-02-20 23:41 <DIR> d-------- c:\program files\Garena
2009-02-20 23:30 . 2009-02-20 23:30 <DIR> d-------- C:\VertigoGames
2009-02-20 18:42 . 2009-02-20 18:42 <DIR> d-------- C:\CrashReport
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-02-19 22:45 . 2009-02-19 22:46 <DIR> d-------- c:\windows\LastGood
2009-02-19 07:54 . 2009-02-19 09:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll
2009-01-22 20:17 . 2009-01-22 20:17 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:28 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-20 03:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 23:33 --------- d-----w c:\program files\JDown
2009-02-19 14:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 15:07 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-12 15:07 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 202,032 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-23 06:01 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-23 06:01 2,337,865 ----a-w c:\windows\system32\pbsvc.exe
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-14 04:38 2,855 ----a-w c:\windows\PIF\Gothic2-Setup.PIF
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-19_ 9.03.50.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-20 03:46:23 155,648 ----a-w c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP\WiseCustomCalla.dll
- 2009-02-07 00:16:23 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-02-20 03:45:35 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2009-02-07 00:16:23 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2009-02-20 03:45:36 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2009-02-07 00:16:24 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-02-20 03:45:36 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2009-02-07 00:16:18 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:31 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:19 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:32 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:32 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:21 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:24 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:36 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:24 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2009-02-20 03:45:36 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2009-02-07 00:16:24 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2009-02-20 03:45:36 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2009-02-07 00:16:25 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2009-02-20 03:45:37 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2009-02-07 00:16:25 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2009-02-20 03:45:37 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2009-02-07 00:16:23 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-02-20 03:45:35 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-03-12 21:42:30 1,123,696 ----a-w c:\windows\LastGood\system32\D3DCompiler_33.dll
+ 2007-05-16 21:45:16 1,124,720 ----a-w c:\windows\LastGood\system32\D3DCompiler_34.dll
+ 2007-07-19 23:14:42 1,358,192 ----a-w c:\windows\LastGood\system32\D3DCompiler_35.dll
+ 2007-10-12 20:14:00 1,374,232 ----a-w c:\windows\LastGood\system32\D3DCompiler_36.dll
+ 2008-03-05 20:56:58 1,420,824 ----a-w c:\windows\LastGood\system32\D3DCompiler_37.dll
+ 2008-05-30 19:11:46 1,491,992 ----a-w c:\windows\LastGood\system32\D3DCompiler_38.dll
+ 2008-07-10 16:00:58 1,493,528 ----a-w c:\windows\LastGood\system32\D3DCompiler_39.dll
+ 2007-03-15 21:57:58 443,752 ----a-w c:\windows\LastGood\system32\d3dx10_33.dll
+ 2007-05-16 21:45:16 443,752 ----a-w c:\windows\LastGood\system32\d3dx10_34.dll
+ 2007-07-19 23:14:42 444,776 ----a-w c:\windows\LastGood\system32\d3dx10_35.dll
+ 2007-10-02 14:56:34 444,776 ----a-w c:\windows\LastGood\system32\d3dx10_36.dll
+ 2008-02-06 04:07:36 462,864 ----a-w c:\windows\LastGood\system32\d3dx10_37.dll
+ 2008-05-30 19:11:46 467,984 ----a-w c:\windows\LastGood\system32\d3dx10_38.dll
+ 2008-07-10 16:01:00 467,984 ----a-w c:\windows\LastGood\system32\d3dx10_39.dll
+ 2005-02-06 00:45:26 2,222,800 ----a-w c:\windows\LastGood\system32\d3dx9_24.dll
+ 2005-03-18 22:19:58 2,337,488 ----a-w c:\windows\LastGood\system32\d3dx9_25.dll
+ 2005-05-26 20:34:52 2,297,552 ----a-w c:\windows\LastGood\system32\d3dx9_26.dll
+ 2005-07-23 00:59:04 2,319,568 ----a-w c:\windows\LastGood\system32\d3dx9_27.dll
+ 2005-12-05 23:09:18 2,323,664 ----a-w c:\windows\LastGood\system32\d3dx9_28.dll
+ 2006-02-03 13:43:16 2,332,368 ----a-w c:\windows\LastGood\system32\d3dx9_29.dll
+ 2006-03-31 17:40:58 2,388,176 ----a-w c:\windows\LastGood\system32\d3dx9_30.dll
+ 2006-09-28 21:05:20 2,414,360 ----a-w c:\windows\LastGood\system32\d3dx9_31.dll
+ 2006-11-29 18:06:18 3,426,072 ----a-w c:\windows\LastGood\system32\d3dx9_32.dll
+ 2007-03-12 21:42:30 3,495,784 ----a-w c:\windows\LastGood\system32\d3dx9_33.dll
+ 2007-05-16 21:45:16 3,497,832 ----a-w c:\windows\LastGood\system32\d3dx9_34.dll
+ 2007-07-19 23:14:42 3,727,720 ----a-w c:\windows\LastGood\system32\d3dx9_35.dll
+ 2007-10-12 20:14:00 3,734,536 ----a-w c:\windows\LastGood\system32\d3dx9_36.dll
+ 2008-03-05 20:56:58 3,786,760 ----a-w c:\windows\LastGood\system32\D3DX9_37.dll
+ 2008-05-30 19:11:46 3,850,760 ----a-w c:\windows\LastGood\system32\D3DX9_38.dll
+ 2008-07-10 16:00:58 3,851,784 ----a-w c:\windows\LastGood\system32\D3DX9_39.dll
+ 2006-02-03 13:41:26 14,032 ----a-w c:\windows\LastGood\system32\x3daudio1_0.dll
+ 2007-03-05 17:42:18 15,128 ----a-w c:\windows\LastGood\system32\x3daudio1_1.dll
+ 2007-10-22 08:37:16 17,928 ----a-w c:\windows\LastGood\system32\x3daudio1_2.dll
+ 2008-03-05 21:00:06 25,608 ----a-w c:\windows\LastGood\system32\X3DAudio1_3.dll
+ 2008-05-30 19:17:00 25,608 ----a-w c:\windows\LastGood\system32\X3DAudio1_4.dll
+ 2006-02-03 13:42:06 230,096 ----a-w c:\windows\LastGood\system32\xactengine2_0.dll
+ 2006-03-31 17:39:48 229,584 ----a-w c:\windows\LastGood\system32\xactengine2_1.dll
+ 2007-10-22 08:39:54 267,272 ----a-w c:\windows\LastGood\system32\xactengine2_10.dll
+ 2006-05-31 12:24:16 230,168 ----a-w c:\windows\LastGood\system32\xactengine2_2.dll
+ 2006-07-28 14:30:32 236,824 ----a-w c:\windows\LastGood\system32\xactengine2_3.dll
+ 2006-09-28 21:05:56 237,848 ----a-w c:\windows\LastGood\system32\xactengine2_4.dll
+ 2006-12-08 17:02:00 251,672 ----a-w c:\windows\LastGood\system32\xactengine2_5.dll
+ 2007-01-24 20:27:30 255,848 ----a-w c:\windows\LastGood\system32\xactengine2_6.dll
+ 2007-04-04 23:55:00 261,480 ----a-w c:\windows\LastGood\system32\xactengine2_7.dll
+ 2007-06-21 01:46:04 266,088 ----a-w c:\windows\LastGood\system32\xactengine2_8.dll
+ 2007-07-20 05:57:12 267,112 ----a-w c:\windows\LastGood\system32\xactengine2_9.dll
+ 2008-03-05 21:03:20 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_0.dll
+ 2008-05-30 19:18:52 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_1.dll
+ 2008-07-30 11:20:54 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_2.dll
+ 2008-05-30 19:17:30 65,032 ----a-w c:\windows\LastGood\system32\XAPOFX1_0.dll
+ 2008-07-30 11:20:56 68,616 ----a-w c:\windows\LastGood\system32\XAPOFX1_1.dll
+ 2008-03-05 21:03:54 479,752 ----a-w c:\windows\LastGood\system32\XAudio2_0.dll
+ 2008-05-30 19:19:18 507,400 ----a-w c:\windows\LastGood\system32\XAudio2_1.dll
+ 2008-07-30 11:20:56 509,448 ----a-w c:\windows\LastGood\system32\XAudio2_2.dll
+ 2006-03-31 17:39:24 62,672 ----a-w c:\windows\LastGood\system32\xinput1_1.dll
+ 2006-07-28 14:30:14 62,744 ----a-w c:\windows\LastGood\system32\xinput1_2.dll
+ 2007-04-04 23:53:42 81,768 ----a-w c:\windows\LastGood\system32\xinput1_3.dll
+ 2005-12-05 23:07:30 61,136 ----a-w c:\windows\LastGood\system32\xinput9_1_0.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gseilp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\VertigoGames\\Game\\BlackShot\\Blackshot\\system\\BlackShot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
R4 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
R4 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
S3 XDva072;XDva072;\??\c:\windows\system32\XDva072.sys --> c:\windows\system32\XDva072.sys [?]
S3 XDva074;XDva074;\??\c:\windows\system32\XDva074.sys --> c:\windows\system32\XDva074.sys [?]
S3 XDva123;XDva123;\??\c:\windows\system32\XDva123.sys --> c:\windows\system32\XDva123.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GARENAPENGINE
*Deregistered* - GarenaPEngine
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 09:53:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\pmkofuao.dll"
"ThreadingModel"="free"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\utdrwe.dll"
"ThreadingModel"="free"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-21 9:55:03
ComboFix-quarantined-files.txt 2009-02-21 14:55:00
ComboFix2.txt 2009-02-19 14:04:37

Pre-Run: 40,410,554,368 bytes free
Post-Run: 40,410,533,888 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
332 --- E O F --- 2009-02-12 02:33:53





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:10 AM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: gseilp.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6698 bytes

Hi :)


no problems or symptoms.
Fine, thank you for informing myself.

In-case not aware your installed Eset Smart Security is reporting it is out of date. Please check for any updates and download them etc.

Remove Norton Anti-Virus remnants:

Please click HERE (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039) and follow the instructions to download and run the norton removal tool for the version you had installed.

Note: If not sure which version and or unable to download, inform myself in your next reply and we will deal with this manually.

Or try this version (http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html).

Next:

Download SREng (http://www.kztechs.com/sreng/sreng2.zip)


Extract it to Desktop and double click SREngLdr.exe to run it
Select System Repair from the left pane.
Click on File Association
Select all entries that has an Error status click [Repair]
Refer to this image for an example:

http://img.photobucket.com/albums/v666/sUBs/SystemRepair_FileAssocs.gif
In your case, it is is both .REG and .SCR
Close SREng now.

COMBOFIX-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

File::
c:\windows\PIF\Gothic2-Setup.PIF
C:\WINDOWS\system32\gseilp.dll
c:\windows\system32\drivers\vgykyaks.sys
c:\windows\system32\drivers\waxkxrih.sys
c:\windows\system32\drivers\ownjyxnr.sys
c:\windows\system32\XDva072.sys
c:\windows\system32\XDva074.sys
c:\windows\system32\XDva123.sys
c:\windows\system32\XDva214.sys
c:\WINDOWS\system32\pmkofuao.dll
c:\WINDOWS\\system32\utdrwe.dll

Driver::
vgykyaks
waxkxrih
ownjyxnr
XDva072
XDva074
XDva123
XDva214

REGLOCK::
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\Program Files\uTorrent\uTorrent.exe"=-
[-HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
[-HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When completed the above, please post back the following in the order asked for:

Any problems encountered and or further symptoms at all ?
ComboFix Log.
A new HijackThis Log.

Hi :)

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

sorry for the late response I couldn't get on the computer for a couple of days


the SREng link didn't work but I just got it from http://www.kztechs.com/eng/download.html and clicked on System Repair Engineer 2.7.0.1210 FREE Local Download

None of the files have errors so there is nothing to repair:

http://img510.imageshack.us/img510/7075/normal.jpg

Hi :)

I apoligise about the link I posted not working. What you have done is fine :bigthumb:

Please carry on with the rest of my posted instructions from:

COMBOFIX-Script:

No problems or symptoms


ComboFix 09-02-24.02 - Divilov 2009-02-25 12:58:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1490 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Divilov\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\\system32\utdrwe.dll
c:\windows\PIF\Gothic2-Setup.PIF
c:\windows\system32\drivers\ownjyxnr.sys
c:\windows\system32\drivers\vgykyaks.sys
c:\windows\system32\drivers\waxkxrih.sys
c:\windows\system32\gseilp.dll
c:\windows\system32\pmkofuao.dll
c:\windows\system32\XDva072.sys
c:\windows\system32\XDva074.sys
c:\windows\system32\XDva123.sys
c:\windows\system32\XDva214.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\PIF\Gothic2-Setup.PIF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA072
-------\Legacy_XDVA074
-------\Legacy_XDVA123
-------\Legacy_XDVA214
-------\Service_XDva072
-------\Service_XDva074
-------\Service_XDva123
-------\Service_XDva214


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 14:36 . 2009-02-24 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-24 14:31 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 16:29 . 2009-02-21 16:29 <DIR> d-------- c:\program files\G4box
2009-02-20 23:34 . 2009-02-23 19:32 <DIR> d-------- c:\program files\Garena
2009-02-20 23:30 . 2009-02-20 23:30 <DIR> d-------- C:\VertigoGames
2009-02-20 18:42 . 2009-02-20 18:42 <DIR> d-------- C:\CrashReport
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:28 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-20 03:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 23:33 --------- d-----w c:\program files\JDown
2009-02-19 14:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-02-21_ 9.54.14.77 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-10 12:28:03 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-02-25 17:38:47 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\VertigoGames\\Game\\BlackShot\\Blackshot\\system\\BlackShot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 13:01:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\nvsvc32.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-25 13:04:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 18:04:51
ComboFix2.txt 2009-02-21 14:55:04
ComboFix3.txt 2009-02-19 14:04:37

Pre-Run: 40,804,110,336 bytes free
Post-Run: 40,823,533,568 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
254 --- E O F --- 2009-02-24 23:48:30




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:44 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6444 bytes

Hi :)


No problems or symptoms
OK it may appear so but I assure you your computer is far from being malware free and undoubtedly never will be. I have trained for a very long time in the IT field of Anti-Malware to get to the point were I am able to assist individuals such as your good self. Saying that I still strongly advice a Re-Format & Re-Installation of the Operating System is the course of action to do!

In-Depth Rootkit Scan:

Download GMER (http://gmer.net/gmer.zip) and extract it to your desktop.

***Please close any open programs ***


Now right click on gmer.exe and choose the option Rename , rename it Dakeyras please.
Now double-click Dakeyras.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER/Dakeyras will produce a log. Click on the Save button, and save the log as dakeyras.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
Click the Scan button and let the program do its work. GMER/Dakeyras will produce a log.
Click on the Save button, and save the log as Dakeyras.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER/Dakeyras scan in your reply.

Next:

Please download ISeeYouXP.zip (http://downloads.malwareteks.com/ISeeYouXP.zip) by ShadowPuterDude, to your Desktop.


Then extract the files from the ZIP.
Locate the ISeeYouXP.bat file and double click on it to run it.
It will create a file named ISeeYou.txt in the root of drive C: (C:\ISeeYou.txt) .
This log will also popup in a notepad window which your can just close. Upload the ISeeYou.txt file here as an attachment.
Note: If you get an error similar to the below when running GetRunKey.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS.

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.

For Windows XP Pro: download and run XPproFix (http://homepage.ntlworld.com/spencer.greystrong/XPProfiles.exe)
For Windows XP Home: download and run XPHomeFix (http://homepage.ntlworld.com/spencer.greystrong/XPHomeFiles.exe)
For Windows 2000: download and run:W2KFix (http://homepage.ntlworld.com/spencer.greystrong/W2kFiles.exe)

Then run ISeeYouXP.bat again and post the log.

The log can get quite long, which is the reason I would like you to attach the file.

When completed the above, please post back the following in the order asked for(individual posts may be best):


Dakeyras.txt.
ISeeYou.txt
A new HijackThis Log.

http://gmer.net/gmer.zip <-----link down and site down

OK, thank you for informing myself. Please carry on with the next set of instructions (http://forums.spybot.info/showpost.php?p=293171&postcount=20) I posted please:

Please download ISeeYouXP.zip by ShadowPuterDude, to your Desktop.

The GMER site went back up and I did the scan but I never saw something to press yes on.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:43 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6411 bytes


I don't know how to attach files on a forum so ill just make a download link.


http://rapidshare.com/files/203360734/ISeeYouXP.txt.html (http://rapidshare.com/files/203360734/ISeeYouXP.txt.html)

Hi :)


The GMER site went back up and I did the scan but I never saw something to press yes on.

OK we will try a different scanner.


I don't know how to attach files on a forum so ill just make a download link.
No problem I have got a copy of the log and researched it.

Next:

Please re-download ComboFix, if prompted with ComboFix.exe already exists, allow it to download and replace the existing exe file:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

COMBOFIX-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


KILLALL::

Driver::
gqytvjjg
kaojuupk
uiwusira

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
[-HKEY_CLASSES_ROOT\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]

Rootkit::
c:\windows\system32\drivers\vgykyaks.sys
c:\windows\system32\drivers\waxkxrih.sys
c:\windows\system32\drivers\ownjyxnr.sys


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Download Blacklight from here:

http://www.f-secure.com/security_center/

Under "Downloads", click on Blacklight and Save it to your Desktop
or
Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert
Accept the license agreement.
Click > scan, wait for it to fimish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

When completed the above, please post back the following in the order asked for:


Any problems encountered and or further symptoms at all ?
Blacklight Log.
ComboFix Log.
A new HijackThis Log.

Any problems encountered and or further symptoms at all? no


03/01/09 10:12:37 [Info]: BlackLight Engine 2.2.1092 initialized
03/01/09 10:12:37 [Info]: OS: 5.1 build 2600 (Service Pack 3)
03/01/09 10:12:37 [Note]: 7019 4
03/01/09 10:12:37 [Note]: 7005 0
03/01/09 10:12:43 [Note]: 7006 0
03/01/09 10:12:43 [Note]: 7022 0
03/01/09 10:12:43 [Note]: 7011 4076
03/01/09 10:12:43 [Note]: 7035 0
03/01/09 10:12:43 [Note]: 7026 0
03/01/09 10:12:43 [Note]: 7026 0
03/01/09 10:12:43 [Note]: FSRAW library version 1.7.1024
03/01/09 10:16:30 [Note]: 7007 0




ComboFix 09-02-28.01 - Divilov 2009-03-01 10:03:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Divilov\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gqytvjjg
-------\Service_kaojuupk
-------\Service_uiwusira


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-27 18:20 . 2009-02-16 19:39 2,736,890 --a------ c:\windows\system32\GameMon.des
2009-02-27 16:57 . 2009-02-27 16:57 250 --a------ c:\windows\gmer.ini
2009-02-27 16:48 . 2005-01-14 02:41 11,254 --a------ c:\windows\system32\locate.com
2009-02-24 14:36 . 2009-02-24 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-24 14:31 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 16:29 . 2009-02-21 16:29 <DIR> d-------- c:\program files\G4box
2009-02-20 23:34 . 2009-02-28 23:31 <DIR> d-------- c:\program files\Garena
2009-02-20 23:30 . 2009-02-20 23:30 <DIR> d-------- C:\VertigoGames
2009-02-20 18:42 . 2009-02-20 18:42 <DIR> d-------- C:\CrashReport
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 02:08 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-21 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:28 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-20 03:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 23:33 --------- d-----w c:\program files\JDown
2009-02-19 14:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-30 19:30 --------- d-----w c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 19:28 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 19:28 --------- d-----w c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 05:34 --------- d-----w c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 05:33 --------- d-----w c:\program files\Eltima Software
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-02-21_ 9.54.14.77 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-27 21:45:38 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
+ 2009-02-27 21:45:38 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-10 12:28:03 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-02-25 17:38:47 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\VertigoGames\\Game\\BlackShot\\Blackshot\\system\\BlackShot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Divilov\LOCALS~1\Temp\BFX1C6A.tmp --> c:\docume~1\Divilov\LOCALS~1\Temp\BFX1C6A.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 10:07:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Divilov\LOCALS~1\Temp\BFX1C6A.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\nvsvc32.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-03-01 10:10:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 15:10:50
ComboFix2.txt 2009-02-21 14:55:04
ComboFix3.txt 2009-02-19 14:04:37

Pre-Run: 40,298,962,944 bytes free
Post-Run: 40,306,728,960 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
239 --- E O F --- 2009-02-24 23:48:30




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:36 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6069 bytes

Hi :)


Any problems encountered and or further symptoms at all? no
OK :bigthumb:

I have a question if I may, have you recently uninstalled nProtect GameGuard at all ?

Update out of date software applications:

Older versions of Java pose a security risk and can be used by malware as a back-door to exploit a system. Please carry out the following:

Go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

J2SE Runtime Environment 5.0 Update 6

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

New Java Installation:


Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java SE Runtime Environment (JRE) 6 Update 12. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u12-windows-i586-p.exe to install Java.
Next:

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.


Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
This online tuturial (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif) will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:


Any problems encountered?
Kaspersky scan results.
A new HijackThis Log.

Any problems encountered? No



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 02, 2009 13:45:01
Records in database: 1861975
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 158865
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:55:16


File name / Threat name / Threats count
C:\Documents and Settings\Divilov\My Documents\DP\2.5millionads.rar Infected: not-a-virus:AdWare.Win32.Megap.a 1
C:\Invision\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Invision\mirc.exe.bak Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Program Files\HideToolz\HideToolz.exe Infected: not-a-virus:RiskTool.Win32.HideProc.q 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jxxfip.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xfiffqoe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP308\A0103050.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP308\A0103055.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jpm 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:21 AM, on 3/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6410 bytes

Hi :)

Congratulations your computer now appears to be malware free. However please bare in mind though I respected your decision to carry out a attempted malware removal, I give no guarantees about the security of this computer and have to the best of my abilities tried to both identify and eradicate all malware.

Next:

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Uninstall ComboFix:


Click on Start >> Run...
Now type in Combofix /u in the and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

OTCleanIt:

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed combination security application, ESET Smart Security automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:


I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates

Be careful when opening attachments and downloading files:


Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.

Make your Internet Explorer safer:

For Internet Explorer 7

Please read this article (http://surfthenetsafely.com/ieseczone8.htm) to configure Internet Explorer 7 properly.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


MVPS Hosts File (http://www.mvps.org/winhelp2002/hosts.htm)
Bluetack's Hosts File (http://www.bluetack.co.uk/forums/index.php?showtopic=8406)
Bluetack's Host Manager (http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=16)
hpHosts (http://hphosts.mysteryfcm.co.uk/?s=Download).

Only use one of the above.

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place? (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions ? feel free to ask, if not stay safe! :)

thanks for all your help

i sometimes search for warez on the internet and i think that is how i got these spyware, how is it possible for spyware to install just by going on a site? and is there anyway to prevent it if i just want to surf the site?

Hi :)


thanks for all your help
You're welcome!


sometimes search for warez on the internet and i think that is how i got these spyware, how is it possible for spyware to install just by going on a site? and is there anyway to prevent it if i just want to surf the site?
OK do you actually understand what the term warez means in the Information Technology world and not to be confused with the old English definition taken from and or implies to at all ? Or what you have exactly asked myself!

In short no I will not provide advice about such what so ever. Plus do not be under the misapprehension I would ever provide such criminal advice and or insult my integrity ever again!

I have provided you with some tips on how to stay safe online and what not to do. Plus much more, against my better judgment concerning your computers actual compromised state.

Since this issue appears to be resolved ... this Topic has been closed.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.