shelf life
2009-07-11, 05:00
hi xdcmasterx,
We will use hjt, then boot into safe mode to delete a file;
To help show all files you can do this first:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\userinit.exe,userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {8fd5d668-b7de-4982-b482-97810511c1a3} - (no file)
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)
O4 - HKUS\S-1-5-20\..\Run: [sepopuzeti] Rundll32.exe "C:\WINDOWS\system32\nuhiteso.dll",s (User 'NETWORK SERVICE')
-------------------------------------------
next reboot your computer into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list safe mode. Once at the safe mode desktop navigate to;
C:\WINDOWS\system32\
look for and delete:
sdra64.exe
reboot computer normally.
Did you install this:
C:\Program Files\kikin?
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:
http://www.malwarebytes.org/mbam.php
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click **Remove Selected.**
**A restart of your computer most likely will be required to remove some items.**
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply. Also rescan and post a new hjt log.
xdcmasterx
2009-07-13, 02:20
Ok ShelfLife i'm really sorry for over-reacting in my other thread its just that i thought i was gonna be Removed and no one can help me guess i was wrong anyway .. first the RootRepeal Log :
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/07/12 19:18
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
Address: 0xB8348000 Size: 31744 File Visible: No Signed: -
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xB8118000 Size: 60416 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB14D1000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB864E000 Size: 8192 File Visible: No Signed: -
Status: -
Name: giveio.sys
Image Path: giveio.sys
Address: 0xB8671000 Size: 1664 File Visible: No Signed: -
Status: -
Name: PCI_PNP1754
Image Path: \Driver\PCI_PNP1754
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xB85DC000 Size: 6464 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0084000 Size: 49152 File Visible: No Signed: -
Status: -
Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xB85AE000 Size: 5248 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: spyk.sys
Image Path: spyk.sys
Address: 0xB7EA6000 Size: 1052672 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8576
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8432
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d8910
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d800a
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spyk.sys" at address 0xb7ec5ca4
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spyk.sys" at address 0xb7ec6032
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d850c
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d7f4a
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d7fae
#: 160 Function Name: NtQueryKey
Status: Hooked by "spyk.sys" at address 0xb7ec610a
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d862c
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d85ec
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb21d876c
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89de21f8 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89c42500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89c43500 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_CREATE]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_CLOSE]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_POWER]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: a6bf3rweࠅఅ瑎獆ႈހ䋘, IRP_MJ_PNP]
Process: System Address: 0x89b401f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89de41f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x893361f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89c4c468 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x892fb1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CREATE]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CLOSE]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_READ]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_CLEANUP]
Process: System Address: 0x89b18500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః杇獬à, IRP_MJ_PNP]
Process: System Address: 0x89b18500 Size: 121
==EOF==
-----------------------------------------------------
Combo Fix Log :
ComboFix 09-07-12.03 - Owner 07/12/2009 19:07.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1626 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090712-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\recycler\S-1-5-21-1491950412-2009852829-4049741679-1003
c:\windows\desktop
c:\windows\desktop\fear-combat-free-multiplayer
c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\f96ac0e5-19d2-42c5-8f68-eb7a99861769.ocx
c:\windows\Installer\25bec90.msi
c:\windows\Installer\7d955e.msi
c:\windows\system32\28463
c:\windows\system32\28463\TYVF.001
c:\windows\system32\28463\TYVF.002
c:\windows\system32\28463\YEGA.001
c:\windows\system32\28463\YEGA.002
c:\windows\system32\28463\YEGA.005
c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
c:\windows\system32\arjuwshr.ini
c:\windows\system32\del.bat
c:\windows\system32\drivers\hjgruijbogomet.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gtkimatj.ini
c:\windows\system32\hgmsrwxw.ini
c:\windows\system32\hjgruieskgehti.dll
c:\windows\system32\hjgruinsnbobho.dll
c:\windows\system32\hjgruitfvavlwq.dat
c:\windows\system32\hjgruiyjypwlfs.dat
c:\windows\system32\itefajav.ini
c:\windows\system32\mfvfknps.ini
c:\windows\system32\mmaojptu.ini
c:\windows\system32\oexgiqbt.ini
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\qsqlvbgj.ini
c:\windows\system32\qXGfPXbc.ini
c:\windows\system32\qXGfPXbc.ini2
c:\windows\system32\system.dll
c:\windows\system32\tatocali.ini
c:\windows\system32\uniq.tll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wdfyksuc.ini
c:\windows\system32\wpcap.dll
c:\windows\Tasks\mhjodutg.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruitvkayxwp
-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Service_NPF
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.
2009-07-11 23:55 . 2009-07-11 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-11 23:55 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 23:55 . 2009-07-11 23:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 23:55 . 2009-07-11 23:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 23:55 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 01:20 . 2009-07-06 02:29 -------- d-----w- c:\program files\PCSX2 BETA
2009-07-03 21:35 . 2009-07-03 21:35 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-03 21:35 . 2009-07-03 21:39 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-03 21:30 . 2009-07-03 21:30 -------- d-----w- c:\program files\DVD Decrypter
2009-07-03 19:22 . 2009-07-03 19:22 -------- d-----w- c:\program files\GoldWave
2009-06-29 20:15 . 2009-06-29 20:15 12862 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2009-06-29 17:20 . 2009-06-29 17:20 -------- d-----w- c:\program files\Trend Micro
2009-06-29 16:02 . 2009-06-29 16:02 -------- d-----w- c:\program files\Driver-Soft
2009-06-29 15:09 . 2009-06-29 15:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-06-29 14:53 . 2009-06-29 14:53 -------- d-----w- c:\windows\system32\VIRepair
2009-06-29 14:34 . 2008-11-26 16:16 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-29 14:34 . 2008-11-26 16:16 50864 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-29 14:34 . 2008-11-26 16:15 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-29 14:34 . 2008-11-26 16:18 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-29 14:34 . 2008-11-26 16:18 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-29 14:34 . 2008-11-26 16:17 111184 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-29 14:34 . 2008-11-26 16:17 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-29 14:34 . 2008-11-26 16:15 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-29 14:34 . 2008-11-26 16:21 1236208 -c--a-w- c:\windows\system32\aswBoot.exe
2009-06-29 14:21 . 2009-06-29 14:21 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2009-06-28 14:43 . 2009-06-28 14:43 -------- dc----w- C:\Temp
2009-06-27 21:08 . 2009-06-27 21:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-06-27 20:37 . 2009-06-27 20:37 -------- d-----w- c:\program files\Valve
2009-06-27 19:34 . 2009-06-27 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Cyber-D's AutoDelete
2009-06-27 16:24 . 2009-07-03 21:52 -------- dc----w- C:\Fraps
2009-06-24 18:57 . 2009-06-24 18:57 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-06-24 18:57 . 2009-06-24 18:57 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-06-24 18:57 . 2009-06-24 18:57 -------- d-----w- c:\program files\OpenAL
2009-06-24 00:32 . 2008-12-20 18:02 20992 ----a-w- c:\windows\system32\psych.dll
2009-06-23 23:05 . 2009-06-23 23:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Fallout3
2009-06-23 23:03 . 2009-03-09 19:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-06-23 23:03 . 2009-03-09 19:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-06-23 23:03 . 2009-03-09 19:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-06-23 23:03 . 2009-03-16 18:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-06-23 23:03 . 2009-03-16 18:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-06-23 23:03 . 2009-03-16 18:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-06-23 23:03 . 2009-03-16 18:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-06-22 00:40 . 2009-06-22 00:40 -------- d-----w- c:\program files\Viewpoint
2009-06-21 03:51 . 2009-06-21 03:51 -------- d-----w- c:\program files\HyCam2
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\ViSplore
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\TrueTransparency
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\WinFlip
2009-06-20 20:19 . 2009-06-20 20:19 -------- d-----w- c:\program files\Vista Rainbar
2009-06-20 20:16 . 2009-03-23 21:39 20480 ----a-w- c:\windows\system32\scrnrdr.exe
2009-06-20 16:05 . 2009-06-20 16:05 -------- d-----w- c:\program files\LittleFighter2
2009-06-19 19:19 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 22:25 . 2009-04-20 21:40 -------- d-----w- c:\program files\Steam
2009-07-12 17:44 . 2009-03-22 20:56 -------- d-----w- c:\program files\Warcraft III
2009-07-10 21:27 . 2008-12-31 01:25 -------- d-----w- c:\program files\SpeedFan
2009-07-08 23:29 . 2008-12-31 01:44 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-07-03 21:52 . 2008-12-31 04:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 19:44 . 2004-08-04 12:00 2864 -c--a-w- c:\windows\system32\winsock.dll
2009-06-29 16:57 . 2009-01-01 00:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-29 00:19 . 2008-12-31 07:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-29 00:19 . 2009-02-16 03:24 -------- d-----w- c:\program files\ASUS
2009-06-29 00:19 . 2008-05-17 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 19:40 . 2009-04-17 14:28 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-06-27 19:36 . 2009-05-31 23:44 -------- d-----w- c:\program files\Cheat Engine
2009-06-24 23:49 . 2009-05-16 20:12 36104 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-06-24 23:49 . 2009-01-02 03:08 131072 -c--a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-24 20:59 . 2009-01-03 23:48 -------- d--h--w- c:\documents and settings\Owner\Application Data\ijjigame
2009-06-24 20:55 . 2009-04-20 22:14 -------- dc----w- c:\documents and settings\All Users\Application Data\IJJIGame
2009-06-24 20:55 . 2009-06-24 20:55 -------- d-----w- c:\program files\NHN USA
2009-06-22 02:47 . 2009-03-29 23:59 1465520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-22 02:08 . 2009-03-03 20:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-06-22 00:42 . 2009-01-02 23:48 -------- d-----w- c:\program files\AIM6
2009-06-22 00:40 . 2009-01-02 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-22 00:38 . 2009-06-22 00:38 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-20 02:12 . 2009-05-19 21:58 -------- d-----w- c:\documents and settings\Owner\Application Data\kikin
2009-06-20 02:05 . 2009-06-04 00:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-20 01:44 . 2009-05-19 21:58 -------- d-----w- c:\program files\kikin
2009-06-19 19:15 . 2009-04-02 00:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-19 01:14 . 2008-12-30 22:34 137888 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-19 01:14 . 2008-12-30 22:33 189288 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-06-10 12:28 . 2009-06-10 12:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 12:28 . 2009-06-10 12:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 12:28 . 2009-06-10 12:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 12:28 . 2009-06-10 12:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 12:28 . 2009-06-10 12:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 12:28 . 2009-06-10 12:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 12:28 . 2009-06-10 12:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 10:03 . 2009-06-10 10:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 10:03 . 2009-06-10 10:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-06-10 10:03 . 2009-02-09 18:18 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 10:03 . 2008-12-30 19:22 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-06-10 10:03 . 2008-07-09 11:02 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 10:03 . 2008-07-09 11:02 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 10:03 . 2008-07-09 11:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 10:03 . 2008-07-09 11:02 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 10:03 . 2008-07-09 11:02 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 10:03 . 2008-05-17 20:08 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-10 10:03 . 2008-05-17 20:06 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-06 21:58 . 2009-06-06 21:58 -------- d-----w- c:\program files\ImgBurn
2009-06-04 23:04 . 2009-06-04 00:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2009-06-04 20:39 . 2008-12-30 19:21 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-06-03 21:48 . 2009-06-24 20:55 779720 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\PurpleBean.exe
2009-06-02 22:02 . 2009-02-15 00:37 5085184 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-05-31 19:44 . 2009-05-31 19:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Crayon Physics Deluxe
2009-05-31 18:53 . 2009-03-28 19:06 -------- dc----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-31 18:53 . 2008-12-31 01:43 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-05-30 23:12 . 2009-05-30 23:12 196608 ----a-w- c:\windows\system32\XPva00.dll
2009-05-27 22:08 . 2009-06-24 20:55 591320 ----a-w- c:\documents and settings\All Users\Application Data\IJJIGame\ExLauncher.exe
2009-05-27 00:10 . 2009-05-27 00:10 -------- d-----w- c:\program files\Alwil Software
2009-05-26 21:31 . 2009-06-24 20:55 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-26 01:19 . 2009-05-26 01:19 -------- d-----w- c:\program files\Microsoft
2009-05-26 01:19 . 2009-05-26 01:18 -------- d-----w- c:\program files\Windows Live
2009-05-26 01:18 . 2009-05-26 01:18 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-26 01:14 . 2009-05-26 01:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-25 16:24 . 2009-01-11 21:45 33824 -c--a-w- c:\windows\system32\drivers\oreans32.sys
2009-05-25 16:21 . 2008-12-30 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-21 18:01 . 2009-02-15 00:37 17881600 ----a-w- c:\windows\RTHDCPL.EXE
2009-05-19 18:51 . 2009-04-02 00:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Norton
2009-05-19 05:36 . 2009-06-22 00:38 97072 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-06-22 00:38 2884832 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-06-22 00:38 28 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-06-22 00:38 25 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-06-22 00:38 1484856 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-06-22 00:38 142040 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-06-22 00:38 30512 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-06-22 00:38 111920 -c--a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-14 21:04 . 2008-05-17 22:16 -------- d-----w- c:\program files\Real Alternative
2009-05-14 21:04 . 2009-03-02 00:52 -------- d-----w- c:\program files\QuickTime
2009-05-14 19:21 . 2009-02-15 00:37 36864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-05-13 00:48 . 2009-06-24 20:55 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-09 05:14 . 2009-03-28 19:18 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 05:14 . 2009-03-28 19:18 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 22:10 . 2009-05-05 22:09 34 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-05-05 22:06 . 2009-05-05 22:06 0 -c--a-w- c:\windows\popcreg.dat
2009-05-05 21:30 . 2009-05-05 21:06 25 -c--a-w- c:\windows\popcinfot.dat
2009-05-02 15:06 . 2009-04-24 00:23 1090560 -c--a-w- c:\documents and settings\Owner\Desktopkernel32.dll
2009-04-29 04:56 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 12:00 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-28 19:09 . 2009-03-22 22:49 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-04-22 21:33 . 2009-04-22 21:33 155648 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XSystem.dll
2009-04-22 21:33 . 2009-04-22 21:33 77824 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XStream.dll
2009-04-22 21:33 . 2009-04-22 21:33 53248 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XPlatform.dll
2009-04-22 21:33 . 2009-04-22 21:33 229376 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\XInNetwork.dll
2009-04-22 21:33 . 2009-04-22 21:33 577536 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\PiXel.dll
2009-04-22 21:33 . 2009-04-22 21:33 475136 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\Lib\NeoBit.dll
2009-04-20 22:17 . 2009-01-03 23:49 383645136 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\U_GBOUND_setup.exe
2009-04-20 22:15 . 2009-04-20 22:17 480688 -c--a-w- c:\documents and settings\Owner\Application Data\ijjigame\ijjistarter2FxB.exe
2009-04-20 22:14 . 2009-04-20 22:14 52105 -c--a-w- c:\documents and settings\All Users\Application Data\IJJIGame\uninst.exe
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 21:23 . 2009-02-15 00:37 540672 ----a-w- c:\windows\RtlExUpd.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-04-14 09:42 . 2009-04-10 23:29 1695232 -csha-w- c:\windows\FlyakiteOSX\Backup\msmsgs.exe
2008-04-14 09:42 . 2008-04-14 09:42 1695232 -csha-w- c:\windows\ServicePackFiles\i386\msmsgs.exe
.
------- Sigcheck -------
[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\explorer.exe
[7] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\FlyakiteOSX\Backup\explorer.exe
[-] 2008-04-14 09:42 998912 D89B25A01991B8EEE6D62A158692952E c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[7] 2004-08-04 12:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\FlyakiteOSX\Backup\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2005-08-31 22:49 925184 A93B7C3B08B9AC15B4DCDC96A50E4C2C c:\windows\SoftwareDistribution\Download\0ad26524c298df9a41026d3b49a38936\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-03-17 05:04 925184 551E967F1E08EE6E205FCB5ADCB0DFC5 c:\windows\SoftwareDistribution\Download\cb2769f3b1daf367a31ed046299a3790\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:53 925184 11B508E0D26622D2BD25B60033245F6A c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp1qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp2qfe\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\sp2qfe\asms\60\msft\windows\common\controls\comctl32.dll
[-] 2008-04-14 09:41 657408 257359B2FA0E544FD750951DBBADCB31 c:\windows\system32\comctl32.dll
[7] 2004-08-04 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2004-08-04 12:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[7] 2008-04-14 09:42 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E601996F-E400-41CA-804B-CD6373A7EEE2}]
2009-06-09 15:23 429296 ----a-w- c:\program files\kikin\ie_kikin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2007-11-17 91432]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-05-21 17881600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-02-10 18:54 210224 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Super Turbo Tango Patcher Reloader.lnk]
backup=c:\windows\pss\Super Turbo Tango Patcher Reloader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WeGame.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WeGame.lnk
backup=c:\windows\pss\WeGame.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTooltip
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"szserver"=2 (0x2)
"npggsvc"=3 (0x3)
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"VSS"=3 (0x3)
"usprserv"=3 (0x3)
"UPS"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"rpcapd"=3 (0x3)
"RichVideo"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\source sdk base\\hl2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\xdcmasterx\\dark messiah might and magic multi-player\\runme.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59133:TCP"= 59133:TCP:Pando Media Booster
"59133:UDP"= 59133:UDP:Pando Media Booster
"58050:TCP"= 58050:TCP:Pando Media Booster
"58050:UDP"= 58050:UDP:Pando Media Booster
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/8/2009 1:34 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/29/2009 10:34 AM 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2009 10:34 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/21/2009 8:40 PM 24652]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [12/31/2008 3:09 AM 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/14/2009 8:37 PM 1684736]
S3 cpuz128;cpuz128;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
MSConfigStartUp-Comrade - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{CCDCA331-90B7-4A71-8C8D-E06D955FA854} - c:\program files\FreshDevices\FreshDownload\fd.exe
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program files\kikin\ie_kikin.dll
Trusted Zone: reimage.com\cdnrep
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1225.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 19:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system.ini 227 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-448539723-1409082233-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0a,64,68,e4,ec,47,cc,1e,3c,65,33,c6,52,30,a9,09,89,6e,bc,23,bf,df,a2,
d7,99,ce,27,07,56,d9,8c,6b,5a,5d,8d,b6,48,04,b4,0b,76,58,b2,96,c0,87,a3,a8,\
"??"=hex:6f,ac,06,37,9a,7b,ec,c8,58,2f,41,b9,fb,27,f6,01
[HKEY_USERS\S-1-5-21-448539723-1409082233-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,e6,3c,2d,d7,4f,73,02,ed,cd,73,74,3f,cf,2c,23,b8,30,84,7d,d7,
7a,bd,62,f2,c6,94,d3,5a,8f,c8,c7,55,46,c1,2c,81,95,82,0a,4a,73,52,d1,18,0b,\
"rkeysecu"=hex:24,6e,be,34,d3,65,0f,de,3b,3a,ab,fa,5a,c2,a3,a2
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(856)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-12 19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-12 23:18
Pre-Run: 19,664,949,248 bytes free
Post-Run: 19,783,606,272 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
420 --- E O F --- 2009-07-05 04:13