PDA

View Full Version : Google links Hijacked help!



xdcmasterx
2009-07-09, 21:05
My HJT log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:59 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {8fd5d668-b7de-4982-b482-97810511c1a3} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AutoComplete - {9452EFD9-FE71-4678-A595-4751F4224C5D} - C:\WINDOWS\AutoComplete.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-20\..\Run: [sepopuzeti] Rundll32.exe "C:\WINDOWS\system32\nuhiteso.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Cyber-D's Autodelete.lnk = C:\Program Files\Cyber-D's AutoDelete\autodelete.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra button: FreshDownload - {CCDCA331-90B7-4A71-8C8D-E06D955FA854} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://cdnrep.reimage.com
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234650182875
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7410 bytes


any thing i should do hmm

shelf life
2009-07-11, 05:00
hi xdcmasterx,

We will use hjt, then boot into safe mode to delete a file;
To help show all files you can do this first:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {8fd5d668-b7de-4982-b482-97810511c1a3} - (no file)

O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)

O4 - HKUS\S-1-5-20\..\Run: [sepopuzeti] Rundll32.exe "C:\WINDOWS\system32\nuhiteso.dll",s (User 'NETWORK SERVICE')
-------------------------------------------
next reboot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list safe mode. Once at the safe mode desktop navigate to;
C:\WINDOWS\system32\
look for and delete:
sdra64.exe

reboot computer normally.

Did you install this:
C:\Program Files\kikin?

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply. Also rescan and post a new hjt log.

xdcmasterx
2009-07-12, 03:24
HJT LOG :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:04 PM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Cyber-D's Autodelete.lnk = C:\Program Files\Cyber-D's AutoDelete\autodelete.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra button: FreshDownload - {CCDCA331-90B7-4A71-8C8D-E06D955FA854} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://cdnrep.reimage.com
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - http://cdnrep.reimage.com/reix1225.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234650182875
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6434 bytes
----------------------------------
i forgot to save the log =/ but i removed all the checked things on malwarebytes so i restarted the computer =[ sorry bout that but i hope hjt log is good enuf

shelf life
2009-07-12, 19:07
hi,

ok. The MBAM log can be retrieved if needed. The redirects are still happening I assume? We will get another download to use, Its called combofix. there is a guide to read first before using it. read through the guide, download it to your desktop, disable any AV etc as explained in the guide, double click the icon and follow the prompts. post the combofix log in your reply.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

xdcmasterx
2009-07-12, 21:27
Hello i have checked the website but the download links do NOT work the other two links are in spanish which i do not understand

also not to argue but i read in some other site that " combofix " is a virus or something should i really download it and if so , i need a working link lol sorry

shelf life
2009-07-13, 00:32
hi,

Combofix is not a virus. Those 3 download links off the combofix guide page are good. Your web pages are being re-directed. We will get another download.

I will send you a PM to a link to try and download combofix from there.

We will get another download to use also:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.rar

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

xdcmasterx
2009-07-13, 02:20
Ok ShelfLife i'm really sorry for over-reacting in my other thread its just that i thought i was gonna be Removed and no one can help me guess i was wrong anyway .. first the RootRepeal Log :
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/07/12 19:18
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
Address: 0xB8348000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xB8118000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB14D1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB864E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xB8671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP1754
Image Path: \Driver\PCI_PNP1754
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xB85DC000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0084000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xB85AE000 Size: 5248 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spyk.sys
Image Path: spyk.sys
Address: 0xB7EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8576

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8432

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d800a

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spyk.sys" at address 0xb7ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spyk.sys" at address 0xb7ec6032

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d850c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d7f4a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d7fae

#: 160 Function Name: NtQueryKey
Status: Hooked by "spyk.sys" at address 0xb7ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d862c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d85ec

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d876c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89de21f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89c42500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89c43500 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_CREATE]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_CLOSE]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_POWER]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_PNP]
Process: System Address: 0x89b401f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89de41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x893361f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89c4c468 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x892fb1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CREATE]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CLOSE]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_READ]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CLEANUP]
Process: System Address: 0x89b18500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_PNP]
Process: System Address: 0x89b18500 Size: 121

==EOF==


-----------------------------------------------------

Combo Fix Log :

ComboFix 09-07-12.03 - Owner 07/12/2009 19:07.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1626 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090712-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\recycler\S-1-5-21-1491950412-2009852829-4049741679-1003
c:\windows\desktop
c:\windows\desktop\fear-combat-free-multiplayer
c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\f96ac0e5-19d2-42c5-8f68-eb7a99861769.ocx
c:\windows\Installer\25bec90.msi
c:\windows\Installer\7d955e.msi
c:\windows\system32\28463
c:\windows\system32\28463\TYVF.001
c:\windows\system32\28463\TYVF.002
c:\windows\system32\28463\YEGA.001
c:\windows\system32\28463\YEGA.002
c:\windows\system32\28463\YEGA.005
c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
c:\windows\system32\arjuwshr.ini
c:\windows\system32\del.bat
c:\windows\system32\drivers\hjgruijbogomet.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gtkimatj.ini
c:\windows\system32\hgmsrwxw.ini
c:\windows\system32\hjgruieskgehti.dll
c:\windows\system32\hjgruinsnbobho.dll
c:\windows\system32\hjgruitfvavlwq.dat
c:\windows\system32\hjgruiyjypwlfs.dat
c:\windows\system32\itefajav.ini
c:\windows\system32\mfvfknps.ini
c:\windows\system32\mmaojptu.ini
c:\windows\system32\oexgiqbt.ini
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\qsqlvbgj.ini
c:\windows\system32\qXGfPXbc.ini
c:\windows\system32\qXGfPXbc.ini2
c:\windows\system32\system.dll
c:\windows\system32\tatocali.ini
c:\windows\system32\uniq.tll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wdfyksuc.ini
c:\windows\system32\wpcap.dll
c:\windows\Tasks\mhjodutg.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruitvkayxwp
-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Service_NPF
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-11 23:55 . 2009-07-11 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-11 23:55 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 23:55 . 2009-07-11 23:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 23:55 . 2009-07-11 23:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 23:55 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 01:20 . 2009-07-06 02:29 -------- d-----w- c:\program files\PCSX2 BETA
2009-07-03 21:35 . 2009-07-03 21:35 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-03 21:35 . 2009-07-03 21:39 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-03 21:30 . 2009-07-03 21:30 -------- d-----w- c:\program files\DVD Decrypter
2009-07-03 19:22 . 2009-07-03 19:22 -------- d-----w- c:\program files\GoldWave
2009-06-29 20:15 . 2009-06-29 20:15 12862 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2009-06-29 17:20 . 2009-06-29 17:20 -------- d-----w- c:\program files\Trend Micro
2009-06-29 16:02 . 2009-06-29 16:02 -------- d-----w- c:\program files\Driver-Soft
2009-06-29 15:09 . 2009-06-29 15:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-06-29 14:53 . 2009-06-29 14:53 -------- d-----w- c:\windows\system32\VIRepair
2009-06-29 14:34 . 2008-11-26 16:16 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-29 14:34 . 2008-11-26 16:16 50864 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-29 14:34 . 2008-11-26 16:15 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-29 14:34 . 2008-11-26 16:18 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-29 14:34 . 2008-11-26 16:18 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-29 14:34 . 2008-11-26 16:17 111184 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-29 14:34 . 2008-11-26 16:17 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-29 14:34 . 2008-11-26 16:15 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-29 14:34 . 2008-11-26 16:21 1236208 -c--a-w- c:\windows\system32\aswBoot.exe
2009-06-29 14:21 . 2009-06-29 14:21 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2009-06-28 14:43 . 2009-06-28 14:43 -------- dc----w- C:\Temp
2009-06-27 21:08 . 2009-06-27 21:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-06-27 20:37 . 2009-06-27 20:37 -------- d-----w- c:\program files\Valve
2009-06-27 19:34 . 2009-06-27 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Cyber-D's AutoDelete
2009-06-27 16:24 . 2009-07-03 21:52 -------- dc----w- C:\Fraps
2009-06-24 18:57 . 2009-06-24 18:57 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-24 18:57 . 2009-06-24 18:57 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-24 18:57 . 2009-06-24 18:57 -------- d-----w- c:\program files\OpenAL
2009-06-24 00:32 . 2008-12-20 18:02 20992 ----a-w- c:\windows\system32\psych.dll
2009-06-23 23:05 . 2009-06-23 23:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Fallout3
2009-06-23 23:03 . 2009-03-09 19:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-06-23 23:03 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-06-23 23:03 . 2009-03-09 19:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-06-23 23:03 . 2009-03-16 18:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-06-23 23:03 . 2009-03-16 18:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-06-23 23:03 . 2009-03-16 18:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-06-23 23:03 . 2009-03-16 18:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-06-22 00:40 . 2009-06-22 00:40 -------- d-----w- c:\program files\Viewpoint
2009-06-21 03:51 . 2009-06-21 03:51 -------- d-----w- c:\program files\HyCam2
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\ViSplore
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\TrueTransparency
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\WinFlip
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\Vista Rainbar
2009-06-20 20:16 . 2009-03-23 21:39 20480 ----a-w- c:\windows\system32\scrnrdr.exe
2009-06-20 16:05 . 2009-06-20 16:05 -------- d-----w- c:\program files\LittleFighter2
2009-06-19 19:19 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 22:25 . 2009-04-20 21:40 -------- d-----w- c:\program files\Steam
2009-07-12 17:44 . 2009-03-22 20:56 -------- d-----w- c:\program files\Warcraft III
2009-07-10 21:27 . 2008-12-31 01:25 -------- d-----w- c:\program files\SpeedFan
2009-07-08 23:29 . 2008-12-31 01:44 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-07-03 21:52 . 2008-12-31 04:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 19:44 . 2004-08-04 12:00 2864 -c--a-w- c:\windows\system32\winsock.dll
2009-06-29 16:57 . 2009-01-01 00:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-29 00:19 . 2008-12-31 07:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 00:19 . 2009-02-16 03:24 -------- d-----w- c:\program files\ASUS
2009-06-29 00:19 . 2008-05-17 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 19:40 . 2009-04-17 14:28 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-06-27 19:36 . 2009-05-31 23:44 -------- d-----w- c:\program files\Cheat Engine
2009-06-24 23:49 . 2009-05-16 20:12 36104 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-06-24 23:49 . 2009-01-02 03:08 131072 -c--a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-24 20:59 . 2009-01-03 23:48 -------- d--h--w- c:\documents and settings\Owner\Application Data\ijjigame
2009-06-24 20:55 . 2009-04-20 22:14 -------- dc----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-24 20:55 . 2009-06-24 20:55 -------- d-----w- c:\program files\NHN USA
2009-06-22 02:47 . 2009-03-29 23:59 1465520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-22 02:08 . 2009-03-03 20:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-06-22 00:42 . 2009-01-02 23:48 -------- d-----w- c:\program files\AIM6
2009-06-22 00:40 . 2009-01-02 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-22 00:38 . 2009-06-22 00:38 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-20 02:12 . 2009-05-19 21:58 -------- d-----w- c:\documents and settings\Owner\Application Data\kikin
2009-06-20 02:05 . 2009-06-04 00:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 01:44 . 2009-05-19 21:58 -------- d-----w- c:\program files\kikin
2009-06-19 19:15 . 2009-04-02 00:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-19 01:14 . 2008-12-30 22:34 137888 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-19 01:14 . 2008-12-30 22:33 189288 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2009-02-09 18:18 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2008-12-30 19:22 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-06-10 10:03 . 2008-07-09 11:02 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2008-07-09 11:02 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2008-07-09 11:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2008-07-09 11:02 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2008-07-09 11:02 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2008-05-17 20:08 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-10 10:03 . 2008-05-17 20:06 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-06 21:58 . 2009-06-06 21:58 -------- d-----w- c:\program files\ImgBurn
2009-06-04 23:04 . 2009-06-04 00:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2009-06-04 20:39 . 2008-12-30 19:21 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-06-03 21:48 . 2009-06-24 20:55 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-02 22:02 . 2009-02-15 00:37 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-31 19:44 . 2009-05-31 19:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Crayon Physics Deluxe
2009-05-31 18:53 . 2009-03-28 19:06 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-31 18:53 . 2008-12-31 01:43 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-05-30 23:12 . 2009-05-30 23:12 196608 ----a-w- c:\windows\system32\XPva00.dll
2009-05-27 22:08 . 2009-06-24 20:55 591320 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\ExLauncher.exe
2009-05-27 00:10 . 2009-05-27 00:10 -------- d-----w- c:\program files\Alwil Software
2009-05-26 21:31 . 2009-06-24 20:55 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-26 01:19 . 2009-05-26 01:19 -------- d-----w- c:\program files\Microsoft
2009-05-26 01:19 . 2009-05-26 01:18 -------- d-----w- c:\program files\Windows Live
2009-05-26 01:18 . 2009-05-26 01:18 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-26 01:14 . 2009-05-26 01:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 16:24 . 2009-01-11 21:45 33824 -c--a-w- c:\windows\system32\drivers\oreans32.sys
2009-05-25 16:21 . 2008-12-30 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-21 18:01 . 2009-02-15 00:37 17881600 ----a-w- c:\windows\RTHDCPL.EXE
2009-05-19 18:51 . 2009-04-02 00:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Norton
2009-05-19 05:36 . 2009-06-22 00:38 97072 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-22 00:38 2884832 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-22 00:38 28 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-22 00:38 25 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-22 00:38 1484856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-22 00:38 142040 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-22 00:38 30512 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-22 00:38 111920 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-14 21:04 . 2008-05-17 22:16 -------- d-----w- c:\program files\Real Alternative
2009-05-14 21:04 . 2009-03-02 00:52 -------- d-----w- c:\program files\QuickTime
2009-05-14 19:21 . 2009-02-15 00:37 36864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-05-13 00:48 . 2009-06-24 20:55 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-09 05:14 . 2009-03-28 19:18 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 05:14 . 2009-03-28 19:18 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 22:10 . 2009-05-05 22:09 34 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-05-05 22:06 . 2009-05-05 22:06 0 -c--a-w- c:\windows\popcreg.dat
2009-05-05 21:30 . 2009-05-05 21:06 25 -c--a-w- c:\windows\popcinfot.dat
2009-05-02 15:06 . 2009-04-24 00:23 1090560 -c--a-w- c:\documents and settings\Owner\Desktopkernel32.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-28 19:09 . 2009-03-22 22:49 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-04-22 21:33 . 2009-04-22 21:33 155648 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XSystem.dll
2009-04-22 21:33 . 2009-04-22 21:33 77824 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XStream.dll
2009-04-22 21:33 . 2009-04-22 21:33 53248 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XPlatform.dll
2009-04-22 21:33 . 2009-04-22 21:33 229376 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XInNetwork.dll
2009-04-22 21:33 . 2009-04-22 21:33 577536 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\PiXel.dll
2009-04-22 21:33 . 2009-04-22 21:33 475136 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\NeoBit.dll
2009-04-20 22:17 . 2009-01-03 23:49 383645136 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\U_GBOUND_setup.exe
2009-04-20 22:15 . 2009-04-20 22:17 480688 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\ijjistarter2FxB.exe
2009-04-20 22:14 . 2009-04-20 22:14 52105 -c--a-w- c:\documents and settings\All Users\Application Data\IJJIGame\uninst.exe
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 21:23 . 2009-02-15 00:37 540672 ----a-w- c:\windows\RtlExUpd.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-04-14 09:42 . 2009-04-10 23:29 1695232 -csha-w- c:\windows\FlyakiteOSX\Backup\msmsgs.exe
2008-04-14 09:42 . 2008-04-14 09:42 1695232 -csha-w- c:\windows\ServicePackFiles\i386\msmsgs.exe
.

------- Sigcheck -------

[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\explorer.exe
[7] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\FlyakiteOSX\Backup\explorer.exe
[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe


[7] 2004-08-04 12:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\FlyakiteOSX\Backup\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2005-08-31 22:49 925184 A93B7C3B08B9AC15B4DCDC96A50E4C2C c:\windows\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-03-17 05:04 925184 551E967F1E08EE6E205FCB5ADCB0DFC5 c:\windows\SoftwareDistribution\Download\cb2769f3b1daf367a31ed046299a3790\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:53 925184 11B508E0D26622D2BD25B60033245F6A c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp2qfe\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp2qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\system32\comctl32.dll
[7] 2004-08-04 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2004-08-04 12:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[7] 2008-04-14 09:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E601996F-E400-41CA-804B-CD6373A7EEE2}]
2009-06-09 15:23 429296 ----a-w- c:\program files\kikin\ie_kikin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-02-10 18:54 210224 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Super Turbo Tango Patcher Reloader.lnk]
backup=c:\windows\pss\Super Turbo Tango Patcher Reloader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WeGame.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WeGame.lnk
backup=c:\windows\pss\WeGame.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTooltip

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"szserver"=2 (0x2)
"npggsvc"=3 (0x3)
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"VSS"=3 (0x3)
"usprserv"=3 (0x3)
"UPS"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"rpcapd"=3 (0x3)
"RichVideo"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\source sdk base\\hl2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\dark messiah might and magic multi-player\\runme.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59133:TCP"= 59133:TCP:Pando Media Booster
"59133:UDP"= 59133:UDP:Pando Media Booster
"58050:TCP"= 58050:TCP:Pando Media Booster
"58050:UDP"= 58050:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/8/2009 1:34 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/29/2009 10:34 AM 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2009 10:34 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/21/2009 8:40 PM 24652]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [12/31/2008 3:09 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2009 8:37 PM 1684736]
S3 cpuz128;cpuz128;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
MSConfigStartUp-Comrade - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{CCDCA331-90B7-4A71-8C8D-E06D955FA854} - c:\program files\FreshDevices\FreshDownload\fd.exe
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program files\kikin\ie_kikin.dll
Trusted Zone: reimage.com\cdnrep
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1225.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 19:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system.ini 227 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1409082233-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0a,64,68,e4,ec,47,cc,1e,3c,65,33,c6,52,30,a9,09,89,6e,bc,23,bf,df,a2,
d7,99,ce,27,07,56,d9,8c,6b,5a,5d,8d,b6,48,04,b4,0b,76,58,b2,96,c0,87,a3,a8,\
"??"=hex:6f,ac,06,37,9a,7b,ec,c8,58,2f,41,b9,fb,27,f6,01

[HKEY_USERS\S-1-5-21-448539723-1409082233-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,e6,3c,2d,d7,4f,73,02,ed,cd,73,74,3f,cf,2c,23,b8,30,84,7d,d7,
7a,bd,62,f2,c6,94,d3,5a,8f,c8,c7,55,46,c1,2c,81,95,82,0a,4a,73,52,d1,18,0b,\
"rkeysecu"=hex:24,6e,be,34,d3,65,0f,de,3b,3a,ab,fa,5a,c2,a3,a2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-12 19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 23:18

Pre-Run: 19,664,949,248 bytes free
Post-Run: 19,783,606,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

420 --- E O F --- 2009-07-05 04:13

shelf life
2009-07-13, 04:11
hi,

ok thanks for the info. looks like combofix removed some goodies.
Do you have CPUZ.exe installed? (cpuid.com) I believe it creates a temp which would account for:
Temp\cpuz_x32.sys

do you know what this is:
c:\program files\kikin

See if you can locate this file in the System32 directory:
XDva259.sys (c:\windows\system32\XDva259.sys)
Go here (http://www.virustotal.com/) browse for the file and upload it using the send button. once the scan is finished you can copy paste the http://www... in your reply


Check malwarebytes for updates, do a full scan and post the log from it.

RE: your BitTorrent client: there is plenty of malware that is distributed via p2p networks that one can download and install.

xdcmasterx
2009-07-13, 06:15
Sorry shelf could not find the file in system32 looked for it for 15 minutes even had the local disk do a search no go also i had no idea KIKIN was in my computer so i searched on youtube and turns out it looks like a safe program shud i remove it or no?

Also here is the log for MBAM :

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/12/2009 11:00:55 PM
mbam-log-2009-07-12 (23-00-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167777
Time elapsed: 41 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{5c79ba15-74ac-4382-8aa0-d55dd0947847}\rp177\A0093593.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5c79ba15-74ac-4382-8aa0-d55dd0947847}\RP177\A0093594.dll (Trojan.TDSS) -> Delete on reboot.
c:\system volume information\_restore{5c79ba15-74ac-4382-8aa0-d55dd0947847}\RP177\A0093595.dll (Trojan.TDSS) -> Delete on reboot.
c:\Qoobox\quarantine\C\WINDOWS\system32\hjgruieskgehti.dll.vir (Trojan.TDSS) -> Delete on reboot.
c:\Qoobox\quarantine\C\WINDOWS\system32\hjgruinsnbobho.dll.vir (Trojan.TDSS) -> Delete on reboot.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\hjgruijbogomet.sys.vir (Trojan.TDSS) -> Delete on reboot.

xdcmasterx
2009-07-13, 22:32
Hey Shelflife i did one final scan with mbam and no viruses or anything were detected thats means im safe right? also thanks for all your help and your patience with helping me lol the best of all this support is free i hope to donate when i am older ( im 10 ) lol ok well thanks alot

shelf life
2009-07-14, 01:04
hi,

ok your welcome. Always check MBAM for updates before doing a scan.


so i searched on youtube and turns out it looks like a safe program
you searched youtube to see if a file was safe??
why dont you upload it to virustotal to see if its malware, link below.
After that we can make a new clean restore point. you can delete the rootrepeal icon off your desktop.


thats means im safe right
for now yes. I will post some "safe hex" tips later. Since you had a rootkit/trojan on board it would be a good idea to change all the passwords you used on the machine.