PDA

View Full Version : Help! I'm having some crazy issues.



Wildman0420
2009-08-07, 09:28
Hey Forum. I need some help from you guys, I seem to have hit a brick wall.

First off, let me give you some backround on the system I am running. It's a intel core duo 2.6 running windows xp pro service pack 3. For protection I run Spybot s&d, along with avast antivirus, and peerguardian 2. Up until recently I have been safely surfing for almost a year with this configuration. This all changed this morning.
When I logged in this morning, I was greeted by a wonderful fake antivirus program know as windows antivirus pro 2009. It told me that every app on my computer was a know virus and that I needed to give them money to make all the bad things go away. Knowing that something was seriously amis, I attempted to run a scan with spybot. when I tryed to run spybot however, nothing happend. It's still running in my minibar, but I can't run a scan or anything. The same thing with Avast! So I try reinstalling avast, and it gives me the option for a boot scan. I do this, and come back with 10 virus, which I delete all of them. The windows antivirus persists however and I end up having to go into safe mode, and remove all associated files and regedit all associated entries as well. After this was said and done I rebooted and noticed that while the fake AV software was gone, I still couldn't access the higher functions of both spybot or Avast. I then noticed something disturbing. When I try to regedit while logged in normally, it says I haven'y admin privlages. When I try to acess my user accounts in control panel, nothing happens. Same with most of my other control panel actions. Just nothing happens.
I've read a few other forum posts, and know that you guys need the hijack this results, but when I tryed to run it, it got to where the scan should start, and just dissappered!! Now when I click on it again NOTHING HAPPENS!! I'm going insane, please help me!!:banghead:

... and when logged into safe mode, none of the control panel functions are working as well!

I've gotten Gmer to run. I'll post the results when finished.

Here's what I was able to get. It eventually quit the ap, and now I can't get it to run again.

GMER 1.0.15.15011 [ynnbqzmr.exe] - http://www.gmer.net
Rootkit scan 2009-08-07 05:20:56
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB57366B8]
SSDT 8A1FBEE0 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5736574]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20]
SSDT 89FDC220 ZwCreateThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5736A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB573614C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910]
SSDT 8A1B4F00 ZwLoadDriver
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB573664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB573608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB57360F0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB573676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB573672E]
SSDT 8A036BC0 ZwResumeThread
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB57368AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE8 80504584 4 Bytes JMP BCEEFF81
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMTDI.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\SYMEVENT.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMNDIS.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMFW.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMIDS.SYS The system cannot find the path specified. !
? C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090206.001\IDSxpx86.sys The system cannot find the file specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] GDI32.DLL!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] GDI32.DLL!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
.text C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe[304] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll
IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5EC880

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom 8A262C50
Device \FileSystem\Udfs \UdfsDisk 8A262C50
Device \Driver\USBSTOR \Device\0000008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS

Device \Driver\Cdrom \Device\CdRom0 8A0120C8
Device \FileSystem\Rdbss \Device\FsWrap 8A2D7578
Device \Driver\Cdrom \Device\CdRom1 8A0120C8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89F42E68
Device \Driver\atapi \Device\Ide\IdePort0 89F42E68
Device \Driver\atapi \Device\Ide\IdePort1 89F42E68
Device \Driver\atapi \Device\Ide\IdePort2 89F42E68
Device \Driver\atapi \Device\Ide\IdePort3 89F42E68
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89F42E68
Device \Driver\Cdrom \Device\CdRom2 8A0120C8
Device \Driver\USBSTOR \Device\00000090 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Srv \Device\LanmanServer 89FE62A0

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A2E1EE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A2E1EE0
Device \FileSystem\Npfs \Device\NamedPipe 8A154358
Device \FileSystem\Msfs \Device\Mailslot 8A00BFB0
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target1Lun0 8A04AC70
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 8A04AC70
Device \Driver\d347prt \Device\Scsi\d347prt1 8A04AC70
Device \Driver\USBSTOR \Device\0000008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A07CE78
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A07CE78
Device \FileSystem\Cdfs \Cdfs 889936A8

---- Modules - GMER 1.0.15 ----

Module _________ B9EE5000-B9EFD000 (98304 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\DOCUME~1\Tim\LOCALS~1\Temp\spoolsv.exe [304] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [372] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\uTorrent\uTorrent.exe [916] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1376] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1500] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1600] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1664] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1764] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [1956] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\PnkBstrA.exe [2052] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2352] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2392] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3040] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\PnkBstrB.exe [3364] 0x35670000
Library \\?\globalroot\Device\__max++>\ECE3EDCA.x86.dll (*** hidden *** ) @ C:\Program Files\DNA\btdna.exe [3788] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETaafvnklv.sys (*** hidden *** ) [SYSTEM] SKYNETvpmypdwy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????a??? ?????????????a????(a? ?????????? ?????????????????????????????????????????? ???????a???????????a? ????????N??a???????????a?&????(??a???????e??avast! Mail Scanner??????a?????????????????????????????????s?????????a??????s???LegacyDriver??????N??a????????D?????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? (??a??????????????avast! Mail Scanner??????a?a?a?a?a?a????C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*??S?????????????????????????????????????????9?9??C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\* /s????CurrentControlSet\Services\dmboot\??????????????? ???????e???a???a??HKEY_LOCAL_MACHINE\Software\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SharedDefs\*???????????a???a??????????????CurrentControlSet\Services\NAVEX15\*?CurrentControlSet\Services\NAVENG\*???????????????????????????????a1\???????a???????????????a?????a???????????????????(?)?*?)?+?+?B?-?-?\?????????????(???*?+?,?*?
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0x42 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z1 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z2 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z3 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z4 0xA6 0xD1 0xC5 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43@hj34z0 0x16 0xA4 0x05 0xF3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy@imagepath \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@aid 10020
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETcmd.dll \systemroot\system32\SKYNETalnkpkpm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETlog.dat \systemroot\system32\SKYNETbnreabeq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNETwsp.dll \systemroot\system32\SKYNEThwymdipu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETvpmypdwy\modules@SKYNET.dat \systemroot\system32\SKYNETqlhmurwu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy@imagepath \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@aid 10020
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETaafvnklv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETcmd.dll \systemroot\system32\SKYNETalnkpkpm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETlog.dat \systemroot\system32\SKYNETbnreabeq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNETwsp.dll \systemroot\system32\SKYNEThwymdipu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETvpmypdwy\modules@SKYNET.dat \systemroot\system32\SKYNETqlhmurwu.dat

Blade81
2009-08-08, 09:10
Hi,

Download DDS and save it to your desktop (while giving the location, save the file as Wildman.scr) from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Wildman0420
2009-08-08, 11:28
Hey blade, thanks for coming to help me. I downloaded and named the file as you instructed. However, when I run it, it shows in the process list for a few seconds and then vanishes. Nothing else happens.

Blade81
2009-08-08, 11:55
Hi,

Let's see how it handles this.

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

Wildman0420
2009-08-08, 12:13
Ok, we got somthing. However, I was only left with the one text file. Also I cannot run the program agan. Here's what I got.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tim at 2009-08-08 05:09:01
Microsoft Windows XP Professional Service Pack 3
System drive C: has 331 GB (54%) free of 610 GB
Total RAM: 2047 MB (80% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD56A320-23F2-42AD-F4E4-00AAC39CAA53}]
C:\WINDOWS\system32\hs7f3uhduhfukde.dll - C:\WINDOWS\system32\hs7f3uhduhfukde.dll [2009-08-06 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2008-12-16 429816]
{3E9D340B-D614-4854-AE06-4218201F6AAE} - LiveInfoPro - C:\Program Files\Internet Explorer\LiveInfoPro\liveinfopro_v1.9.6-1008.dll [2007-12-27 2306048]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-16 16862720]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-10-21 143360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-10-21 172032]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-10-21 143360]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2007-03-14 71216]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2007-01-08 52256]
"LGODDFU"=C:\Program Files\lg_fwupdate\fwupdate.exe [2008-11-23 548864]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-04-19 198160]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]
"ccleaner"=C:\Program Files\CCleaner\CCleaner.exe [2009-06-25 1578736]
"PeerGuardian"=C:\Program Files\PeerGuardian2\pg2.exe [2007-01-30 1432064]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-07-22 323392]
"Windows System Recover!"=C:\DOCUME~1\Tim\LOCALS~1\Temp\debug.exe [2009-08-08 22532]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Bitmeter2.lnk - C:\Program Files\Codebox\BitMeter\BitMeter2.exe
MFWAKeys.lnk - C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Tim\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-10-21 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
LKMSFOIVAMFOMSFVIOSVJASIUENFJNDJV - {BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\hs7f3uhduhfukde.dll [2009-08-06 15000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\Program Files\Freelancer\EXE\Freelancer.exe"="C:\Program Files\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe"="C:\Program Files\THQ\Dawn of War - Dark Crusade\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\Program Files\Zultrax P2P\Zultrax.Exe"="C:\Program Files\Zultrax P2P\Zultrax.Exe:*:Enabled:Zultrax"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\Program Files\Codemasters\Worms 4 Mayhem\WORMS 4 MAYHEM.EXE"="C:\Program Files\Codemasters\Worms 4 Mayhem\WORMS 4 MAYHEM.EXE:*:Disabled:Worms 4 Mayhem"
"C:\Documents and Settings\Tim\My Documents\New Folder\PC_Soldiers.of.Fortune.3 Payback -.modded.-.direct.play.-ToeD\SoF3\SoF-Payback\sof3.exe"="C:\Documents and Settings\Tim\My Documents\New Folder\PC_Soldiers.of.Fortune.3 Payback -.modded.-.direct.play.-ToeD\SoF3\SoF-Payback\sof3.exe:*:Enabled:sof3"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\Program Files\Codemasters\DiRT\DiRT.exe"="C:\Program Files\Codemasters\DiRT\DiRT.exe:*:Disabled:DiRT Executable"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Codemasters\GRID\GRID.exe"="C:\Program Files\Codemasters\GRID\GRID.exe:*:Enabled:GRID"
"C:\Documents and Settings\Rob K\Desktop\utorrent.exe"="C:\Documents and Settings\Rob K\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe"="C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe:*:Enabled:Media Player Classic - Homecinema"
"C:\Program Files\VideoLAN\VLC\vlc.exe"="C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\Saints Row 2\SR2_pc.exe"="C:\Program Files\Saints Row 2\SR2_pc.exe:*:Enabled:SR2_pc"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\Program Files\Activision\EF2\EF2.exe"="C:\Program Files\Activision\EF2\EF2.exe:*:Enabled:Elite Force II"
"C:\Program Files\TVUPlayer\TVUPlayer.exe"="C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"
"C:\Documents and Settings\Tim\My Documents\New Folder\Warhammer_Dawn_of_War_2-WiCKED\DOW2.exe"="C:\Documents and Settings\Tim\My Documents\New Folder\Warhammer_Dawn_of_War_2-WiCKED\DOW2.exe:*:Enabled:DOW2"
"C:\Documents and Settings\Tim\Desktop\Warhammer_Dawn_of_War_2-WiCKED\WiCKED-DOW2\DOW2.exe"="C:\Documents and Settings\Tim\Desktop\Warhammer_Dawn_of_War_2-WiCKED\WiCKED-DOW2\DOW2.exe:*:Enabled:DOW2"
"C:\Documents and Settings\Tim\Desktop\WiCKED-DOW2\DOW2.exe"="C:\Documents and Settings\Tim\Desktop\WiCKED-DOW2\DOW2.exe:*:Disabled:DOW2"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\EA GAMES\Mercenaries 2 World in Flames\Mercenaries2.exe"="C:\Program Files\EA GAMES\Mercenaries 2 World in Flames\Mercenaries2.exe:*:Enabled:Mercenaries 2: World in Flames"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor"
"C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe"="C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2"
"C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\s2gs.exe"="C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\s2gs.exe:*:Enabled:Sacred 2 Game Server"
"C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\sacred2.exe"="C:\Program Files\Deep Silver\Sacred 2 - Fallen Angel\system\sacred2.exe:*:Enabled:Sacred 2"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\CCP\EVE\bin\ExeFile.exe"="C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.exe - open - C:\WINDOWS\system32\desot.exe "%1" %*

======List of files/folders created in the last 2 months======

2009-08-08 05:09:06 ----D---- C:\Program Files\trend micro
2009-08-08 05:09:01 ----D---- C:\rsit
2009-08-08 04:21:40 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 01:58:53 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-08-07 01:48:30 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-08-07 01:48:29 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2009-08-07 01:44:22 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-08-07 01:42:56 ----D---- C:\Documents and Settings\Tim\Application Data\GetRightToGo
2009-08-06 17:37:44 ----D---- C:\WINDOWS\CSC
2009-08-06 17:31:48 ----A---- C:\windows-kb890830-v2.12.exe
2009-08-06 17:01:18 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-06 16:33:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-06 16:08:01 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-06 16:07:54 ----D---- C:\Documents and Settings\Tim\Application Data\PC Tools
2009-08-06 10:05:27 ----A---- C:\WINDOWS\system32\temp.exe
2009-08-06 10:01:34 ----A---- C:\WINDOWS\system32\desot.exe
2009-08-06 10:01:07 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-06 10:00:29 ----A---- C:\nnnivl.exe
2009-08-06 10:00:19 ----A---- C:\shbnoqx.exe
2009-08-06 10:00:06 ----A---- C:\WINDOWS\system32\hs7f3uhduhfukde.dll
2009-08-06 10:00:05 ----A---- C:\hbywcp.exe
2009-08-06 10:00:04 ----A---- C:\WINDOWS\system32\SKYNEThwymdipu.dll
2009-08-06 10:00:03 ----A---- C:\WINDOWS\system32\SKYNETalnkpkpm.dll
2009-08-06 09:59:56 ----A---- C:\WINDOWS\system32\samsvc.exe
2009-08-04 12:56:01 ----D---- C:\Program Files\City Interactive
2009-08-04 04:44:49 ----D---- C:\Program Files\Vendetta Online
2009-08-03 02:58:51 ----D---- C:\Program Files\Driving Simulator 2009
2009-07-28 05:18:51 ----D---- C:\Documents and Settings\Tim\Application Data\LucasArts
2009-07-28 05:15:14 ----D---- C:\Program Files\Secret Of Monkey Island SE
2009-07-27 03:05:08 ----A---- C:\WINDOWS\Runservice.exe
2009-07-27 03:05:08 ----A---- C:\WINDOWS\mmfs.dll
2009-07-27 02:55:36 ----D---- C:\Program Files\Battlefront
2009-07-22 02:39:06 ----D---- C:\Program Files\DNA
2009-07-22 02:39:06 ----D---- C:\Documents and Settings\Tim\Application Data\DNA
2009-07-17 03:24:31 ----D---- C:\Documents and Settings\All Users\Application Data\Ubisoft
2009-07-16 03:01:47 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 03:01:43 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-14 00:13:49 ----D---- C:\Documents and Settings\Tim\Application Data\vlc
2009-07-13 21:39:13 ----D---- C:\Program Files\Virtual Earth 3D
2009-07-10 01:21:17 ----D---- C:\Program Files\Velvet Assassin
2009-07-08 22:31:52 ----D---- C:\Documents and Settings\Tim\Application Data\Ubisoft
2009-07-08 21:13:35 ----D---- C:\WINDOWS\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2009-07-03 18:19:57 ----D---- C:\Program Files\Common Files\DivX Shared
2009-07-03 02:49:44 ----D---- C:\Program Files\Flagship Studios
2009-07-03 01:55:54 ----HD---- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-07-02 04:27:11 ----D---- C:\WINDOWS\Sins of a Solar Empire
2009-07-02 04:27:11 ----D---- C:\Program Files\Sins of a Solar Empire
2009-07-02 03:50:19 ----D---- C:\WINDOWS\E4D153288C89484BB9AAF5BE9EA6D01C.TMP
2009-07-01 23:38:54 ----D---- C:\Program Files\1C Company
2009-07-01 23:19:32 ----D---- C:\Program Files\Nobilis
2009-07-01 23:03:25 ----D---- C:\Program Files\Strategy First
2009-07-01 22:39:55 ----D---- C:\Program Files\Sierra
2009-07-01 04:16:51 ----D---- C:\Program Files\ZenoClash
2009-07-01 03:32:47 ----A---- C:\WINDOWS\unvise32.exe
2009-07-01 03:30:31 ----D---- C:\Program Files\Postal2STP
2009-06-29 03:57:16 ----D---- C:\Program Files\Common Files\DirectX
2009-06-28 02:28:49 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2009-06-28 02:28:49 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2009-06-28 02:28:48 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2009-06-28 02:28:47 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2009-06-28 02:28:46 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2009-06-23 03:19:14 ----D---- C:\Program Files\Mad Scientist Productions
2009-06-21 05:02:03 ----D---- C:\Program Files\Hinterland
2009-06-10 03:02:26 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 03:02:22 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-10 03:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 03:00:16 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$

======List of files/folders modified in the last 2 months======

2009-08-08 05:09:08 ----D---- C:\Program Files\PeerGuardian2
2009-08-08 05:09:06 ----RD---- C:\Program Files
2009-08-08 05:08:49 ----D---- C:\Documents and Settings\All Users\Application Data\Bitmeter2
2009-08-08 04:40:59 ----D---- C:\Program Files\Mozilla Firefox
2009-08-08 04:36:28 ----D---- C:\WINDOWS\Prefetch
2009-08-08 04:36:20 ----D---- C:\Program Files\Paint Shop Pro 6
2009-08-08 04:32:41 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-08 04:30:14 ----D---- C:\WINDOWS\Temp
2009-08-08 04:30:12 ----D---- C:\WINDOWS
2009-08-07 14:18:28 ----D---- C:\Documents and Settings\Tim\Application Data\uTorrent
2009-08-07 08:23:59 ----D---- C:\Program Files\WinRAR
2009-08-07 08:23:57 ----SHD---- C:\System Volume Information
2009-08-07 08:22:45 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-07 08:18:48 ----D---- C:\Documents and Settings\Tim\Application Data\WinRAR
2009-08-07 05:27:07 ----D---- C:\Program Files\LimeWire
2009-08-07 04:43:04 ----D---- C:\Program Files\EA GAMES
2009-08-07 04:41:55 ----SHD---- C:\WINDOWS\Installer
2009-08-07 04:40:58 ----D---- C:\Program Files\Ubisoft
2009-08-07 04:40:57 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-07 04:29:17 ----D---- C:\WINDOWS\system32\drivers
2009-08-07 04:28:53 ----D---- C:\WINDOWS\system32
2009-08-07 04:28:53 ----D---- C:\Program Files\Common Files
2009-08-07 04:28:50 ----HD---- C:\WINDOWS\inf
2009-08-07 04:26:17 ----D---- C:\Games
2009-08-07 04:24:10 ----D---- C:\WINDOWS\Debug
2009-08-07 03:57:02 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-08-06 18:12:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-06 18:12:16 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-06 17:59:12 ----SD---- C:\WINDOWS\Tasks
2009-08-06 17:58:00 ----D---- C:\WINDOWS\Network Diagnostic
2009-08-06 16:53:29 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-06 16:52:33 ----D---- C:\WINDOWS\system
2009-08-06 14:28:33 ----SHD---- C:\RECYCLER
2009-08-06 14:24:15 ----D---- C:\Documents and Settings
2009-08-06 12:02:58 ----D---- C:\WINDOWS\system32\config
2009-08-06 10:01:21 ----D---- C:\Program Files\lg_fwupdate
2009-08-06 10:01:20 ----A---- C:\WINDOWS\lgfwup.ini
2009-08-06 10:00:21 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-06 10:00:20 ----D---- C:\Program Files\Internet Explorer
2009-08-04 13:04:38 ----D---- C:\WINDOWS\system32\DirectX
2009-08-04 13:04:22 ----RSD---- C:\WINDOWS\assembly
2009-08-04 08:54:32 ----D---- C:\Documents and Settings\Tim\Application Data\dvdcss
2009-08-02 02:07:32 ----D---- C:\Program Files\Microsoft Silverlight
2009-08-01 10:34:30 ----D---- C:\Documents and Settings\Tim\Application Data\LimeWire
2009-07-30 08:52:12 ----D---- C:\Program Files\Telltale Games
2009-07-30 01:21:48 ----HD---- C:\WINDOWS\msdownld.tmp
2009-07-29 03:00:32 ----D---- C:\WINDOWS\system32\en-US
2009-07-29 03:00:23 ----D---- C:\WINDOWS\ie7updates
2009-07-29 03:00:16 ----D---- C:\WINDOWS\WinSxS
2009-07-28 05:51:22 ----D---- C:\Program Files\LucasArts
2009-07-22 05:55:30 ----D---- C:\Movies -n- Stuff
2009-07-19 09:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-13 23:27:09 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-07-13 23:27:07 ----D---- C:\Program Files\Common Files\Adobe
2009-07-13 23:27:05 ----D---- C:\Program Files\Adobe
2009-07-13 21:55:31 ----D---- C:\WINDOWS\Microsoft.NET
2009-07-13 21:39:52 ----SD---- C:\Documents and Settings\Tim\Application Data\Microsoft
2009-07-08 21:13:31 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-08 20:30:21 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-06 05:40:51 ----D---- C:\Program Files\DivX
2009-07-06 03:13:31 ----D---- C:\Program Files\Codemasters
2009-07-04 17:44:18 ----D---- C:\Documents and Settings\All Users\Application Data\


Thats all I was able to get.

Blade81
2009-08-08, 12:20
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
BitLord
BitTorrent
DNA
eMule
LimeWire
Vuze


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Empty Recycle Bin.

After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log (if you're able to run DDS now).

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Wildman0420
2009-08-08, 12:48
Ok,. I wasn't even aware of any p2p programs except utorrent. I deleted it, best I could. However I couldn't use add/remove programs. When I clicked on it, nothing happened.

Also, I downloaded combofix, read the intructions and disabled all antivirus, and firewalls. When I ran the progran, I get a small progress bar. It fills up and then it disappears. Attempting to re run it gets the same results.

Blade81
2009-08-08, 13:09
Hi,

Let's try this.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix from any of the links below. You must*rename it before saving it (use Wildman.exe as name). Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Wildman.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt. See if you're able to make DDS run.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Wildman0420
2009-08-08, 13:20
Same result. :( Also I just got a virus detected in memory warning when I turned my AV back on.

Blade81
2009-08-08, 14:50
Hi,

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Go to C:\Documents and Settings\All Users\Application Data folder and move folders that have nothing but digits (e.g. 23812491) in their name to your desktop.

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

Wildman0420
2009-08-08, 19:04
I am unable to show the hidden files! When I go into my computer, and select tools, I have only three options: Map network drive, disconnect netowrk drive, and synchronize. There is no folder options.

I went ahead and downloaded Malwarebytes' Anti-Malware, installed, and ran. It got to after I selected the drive to scan, hit ok, and then the program closed. Now it is acting as the other programs do, and will not run.

Blade81
2009-08-08, 21:14
Hi,

Download attached zip file and extract it to the root of your c: drive (c:\). When done, go to c:\ and double-click extracted file. When done, try to run renamed ComboFix again.

Note: attached file is meant to be used only in this specific case. Using it in some other system may cause harm on the system.

Wildman0420
2009-08-08, 21:47
Nothing seemed to happen when I ran the xp fix, and then when I tried to run combofix, still i get a progress bar, that fills then disappears. I'm now getting occasional popups of Internet Explorer. and i'm hearing sound when none should be playing at times as well.

Blade81
2009-08-09, 10:21
Hi,

Trying to figure out something. Do you have your Windows media available?

Wildman0420
2009-08-09, 20:16
hhmm. No, windows media player doesn't seem to work. VLC player still does.

Blade81
2009-08-09, 20:26
Hi,

I meant if you have Windows OS media available, not Windows Media Player :). Hopefully you have the disc.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
scecli.dll
winnt32.exe


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Wildman0420
2009-08-09, 20:44
I cannot find my windows disc. I know it's around here somewhere!

Here is the results of that scan:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:38 on 09/08/2009 by Tim (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 181248 bytes [12:00 14/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 14/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)

Searching for "winnt32.exe"
No files found.

-=End Of File=-

Blade81
2009-08-09, 20:47
Hi,

Upload following files to Virustotal (http://www.virustotal.com) and post back the results or links to the results:
C:\WINDOWS\system32\dllcache\scecli.dll
C:\WINDOWS\system32\scecli.dll

We'll see if media is needed or not.

Wildman0420
2009-08-09, 20:54
Ok, the first scan came back as such

File scecli.dll received on 2009.04.27 04:21:18 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.27 -
AhnLab-V3 5.0.0.2 2009.04.26 -
AntiVir 7.9.0.156 2009.04.26 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.26 -
BitDefender 7.2 2009.04.27 -
CAT-QuickHeal 10.00 2009.04.25 -
ClamAV 0.94.1 2009.04.27 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.27 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.27 -
Fortinet 3.117.0.0 2009.04.27 -
GData 19 2009.04.27 -
Ikarus T3.1.1.49.0 2009.04.27 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.27 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.27 -
Microsoft 1.4602 2009.04.27 -
NOD32 4035 2009.04.25 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.27 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.27 -
Rising 21.27.00.00 2009.04.27 -
Sophos 4.41.0 2009.04.27 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.27 -
TheHacker 6.3.4.1.315 2009.04.27 -
TrendMicro 8.700.0.1004 2009.04.25 -
VBA32 3.12.10.3 2009.04.27 -
ViRobot 2009.4.27.1709 2009.04.27 -
VirusBuster 4.6.5.0 2009.04.26 -
Additional information
File size: 181248 bytes
MD5 : a86bb5e61bf3e39b62ab4c7e7085a084
SHA1 : 3a3535122da168a549d2007123e9ae06146f2002
SHA256: b88446e007153bb58c5ae867ac3fb4c46618bbaa5a152687201e0e81f881465a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x13A0
timedatestamp.....: 0x4802A10E (Mon Apr 14 02:10:54 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x24AA3 0x24C00 6.31 75ccde4c944fac9ba31428684259e699
.data 0x26000 0x1004 0x800 3.17 141a34aab3a9b14d8bcdefd0d1f66eba
.rsrc 0x28000 0x4CD8 0x4E00 3.39 d8af3d7fd867f90e31b01c3eeaa3009a
.reloc 0x2D000 0x1C04 0x1E00 6.60 c59f32ba39347a6c464fb77f1c1feb80

( 11 imports )

> advapi32.dll: LsaSetDomainInformationPolicy, ImpersonateLoggedOnUser, RevertToSelf, GetNamedSecurityInfoW, SetNamedSecurityInfoW, GetSecurityDescriptorDacl, AllocateAndInitializeSid, LsaRemoveAccountRights, RegDeleteKeyW, ConvertStringSidToSidW, LsaLookupSids, OpenSCManagerW, EnumServicesStatusW, LsaClose, FreeSid, LsaOpenPolicy, LsaLookupNames2, LsaQueryInformationPolicy, LsaQueryDomainInformationPolicy, LsaFreeMemory, OpenServiceW, QueryServiceConfigW, QueryServiceObjectSecurity, CloseServiceHandle, RegOpenCurrentUser, ReportEventW, DeregisterEventSource, RegisterEventSourceW, OpenThreadToken, OpenProcessToken, DuplicateToken, CheckTokenMembership, EqualSid, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW, RegEnumKeyExW
> kernel32.dll: lstrcmpiW, lstrcpyW, lstrcatW, FormatMessageW, LoadLibraryW, GetProcAddress, FreeLibrary, GetEnvironmentStringsW, GetPrivateProfileStringW, Sleep, GetModuleHandleW, ReadFile, WideCharToMultiByte, WritePrivateProfileSectionW, WritePrivateProfileStringW, GetEnvironmentVariableW, GetTickCount, DeleteFileW, CopyFileW, GetFileAttributesW, GetPrivateProfileIntW, lstrlenW, CompareStringW, CreateFileW, LocalReAlloc, GetVolumeInformationW, GetDriveTypeW, GetFileSize, SetFileAttributesW, ExitThread, FreeLibraryAndExitThread, CreateThread, LeaveCriticalSection, WaitForSingleObject, EnterCriticalSection, GetCurrentThreadId, QueueUserWorkItem, InitializeCriticalSection, DeleteCriticalSection, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetCurrentProcessId, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LocalFree, GetLastError, LoadLibraryExA, CloseHandle, GetCurrentProcess, GetCurrentThread, WriteFile, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, CreateDirectoryW, GetSystemWindowsDirectoryW, GetComputerNameExW, GetComputerNameW, GetSystemDirectoryW, ExpandEnvironmentStringsW, SetLastError, GetPrivateProfileSectionW, LocalAlloc, SetFilePointer
> msvcrt.dll: wcsncmp, _wcsupr, wcsncat, wcschr, wcscat, swprintf, _vsnwprintf, wcsstr, _except_handler3, _resetstkoflw, wcscpy, _wcsnicmp, wcsncpy, wcslen, _wcsicmp, _wfindfirst, fclose, _wfopen, _adjust_fdiv, malloc, _initterm, free, __2@YAPAXI@Z, __3@YAXPAX@Z, __CxxFrameHandler, _wtol, _itow, _wfindnext, towlower, _findclose, memmove
> netapi32.dll: NetLocalGroupAddMembers
> ntdll.dll: RtlNtStatusToDosError, RtlGetControlSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlFreeSid, RtlAllocateAndInitializeSid, RtlMapGenericMask, RtlGetAce, NtAdjustPrivilegesToken, RtlTimeToTimeFields, RtlSystemTimeToLocalTime, NtQuerySystemTime, RtlCopySid, RtlLengthSid, RtlSubAuthoritySid, RtlSubAuthorityCountSid, RtlIdentifierAuthoritySid, NtQueryInformationToken, RtlGetNtProductType, RtlLengthRequiredSid, RtlFreeUnicodeString, RtlConvertSidToUnicodeString, RtlInitUnicodeString, RtlValidSid, RtlTimeToSecondsSince1980, NtQueryObject, RtlLengthSecurityDescriptor, RtlMakeSelfRelativeSD, RtlRandomEx, RtlImageNtHeader, RtlFreeHeap, RtlAllocateHeap, RtlEqualSid
> ole32.dll: CoCreateGuid, CoInitialize, CoCreateInstance, CoMarshalInterThreadInterfaceInStream, CoInitializeEx, CoGetInterfaceAndReleaseStream, CoUninitialize
> oleaut32.dll: -, -, -, -, -, -
> rpcrt4.dll: RpcBindingSetAuthInfoW, I_RpcExceptionFilter, RpcBindingFree, NdrClientCall2, RpcStringFreeW, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrServerCall2
> setupapi.dll: SetupFindNextLine, SetupGetFieldCount, SetupGetStringFieldW, SetupFindFirstLineW, SetupGetLineCountW, SetupOpenInfFileW, SetupCloseInfFile, SetupGetIntField, SetupGetMultiSzFieldW
> user32.dll: wsprintfW, LoadStringW
> userenv.dll: ProcessGroupPolicyCompletedEx

( 1 exports )

> DeltaNotify, DllRegisterServer, DllUnregisterServer, InitializeChangeNotify, SceAddToNameList, SceAddToNameStatusList, SceAddToObjectList, SceAnalyzeSystem, SceAppendSecurityProfileInfo, SceBrowseDatabaseTable, SceCloseProfile, SceCommitTransaction, SceCompareNameList, SceCompareSecurityDescriptors, SceConfigureConvertedFileSecurity, SceConfigureSystem, SceCopyBaseProfile, SceCreateDirectory, SceDcPromoCreateGPOsInSysvol, SceDcPromoCreateGPOsInSysvolEx, SceDcPromoteSecurity, SceDcPromoteSecurityEx, SceEnforceSecurityPolicyPropagation, SceEnumerateServices, SceFreeMemory, SceFreeProfileMemory, SceGenerateGroupPolicy, SceGenerateRollback, SceGetAnalysisAreaSummary, SceGetAreas, SceGetDatabaseSetting, SceGetDbTime, SceGetObjectChildren, SceGetObjectSecurity, SceGetScpProfileDescription, SceGetSecurityProfileInfo, SceGetServerProductType, SceGetTimeStamp, SceIsSystemDatabase, SceLookupPrivRightName, SceNotifyPolicyDelta, SceOpenPolicy, SceOpenProfile, SceProcessEFSRecoveryGPO, SceProcessSecurityPolicyGPO, SceProcessSecurityPolicyGPOEx, SceRegisterRegValues, SceRollbackTransaction, SceSetDatabaseSetting, SceSetupBackupSecurity, SceSetupConfigureServices, SceSetupGenerateTemplate, SceSetupMoveSecurityFile, SceSetupRootSecurity, SceSetupSystemByInfName, SceSetupUnwindSecurityFile, SceSetupUpdateSecurityFile, SceSetupUpdateSecurityKey, SceSetupUpdateSecurityService, SceStartTransaction, SceSvcConvertSDToText, SceSvcConvertTextToSD, SceSvcFree, SceSvcGetInformationTemplate, SceSvcQueryInfo, SceSvcSetInfo, SceSvcSetInformationTemplate, SceSvcUpdateInfo, SceSysPrep, SceUpdateObjectInfo, SceUpdateSecurityProfile, SceWriteSecurityProfileInfo
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 3072:nfIJ7eaZiV7kZ1zgdzbjn3pRl44O2Wi1qqBi/B5tetnFwT8nS:nfuwV7Ezgtn37q4Dcr/AnFwTv
PEiD : -
RDS : NSRL Reference Data Set
-


Then the second scan came back only with this,

0 bytes size received / Se ha recibido un archivo vacio

Blade81
2009-08-09, 21:52
Hi,

Next, I'll need you to make some preparations since I'm going to ask you to disconnect system from network (= to pull network cable off). I recommend you print/save these instructions so that you can access them while disconnected from network (or you may read instructions thru your other system if you have more than this we're currently cleaning).


Before disconnecting, do the following two (2) steps:
1. Make sure you have Malwarebytes' Anti-Malware setup file ready. If it isn't on your machine anymore, download it again.
2. Download combofix from any of these links and save it renamed to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

When you have Malwarebytes' Anti-Malware setup file and renamed ComboFix file on your desktop, disconnect the machine from network.

========To be done offline begins==========

1. The next steps to follow will need to be done in safe mode with command prompt (print/save these since you won't be able to access them while in safe mode):

Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands carefully (if anything turns up with these, please stop and note the error down and let me know):
c:
cd\
ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir
copy C:\WINDOWS\system32\dllcache\scecli.dll C:\WINDOWS\system32\scecli.dll


While still being disconnected from network, reboot back into normal mode.

Do next two things only if safe mode with command prompt -part went without issues, otherwise report what problem you had:
a) Run Malwarebytes' Anti-Malware (MBAM) with full scan and let it delete its findings.
b) Run ComboFix.

========To be done offline ends==========

When done, post back MBAM & ComboFix logs.

Wildman0420
2009-08-09, 22:28
OK,
Upon attempting to ren c:\windows\system32\scecli.dll scecli.dll.vir, I get a error saying: The process cannot access the file because it is being used by another process

Blade81
2009-08-09, 22:39
Hi,

Looks like you're gonna need that XP Pro OS disc. If you can't find yours do you know anyone with XP Pro OS media available?

Wildman0420
2009-08-09, 23:05
I'll borrow one from my brother, though it might take me a few days to get in touch with him. Go ahead and tell me what I'll need to do next, and I'll let you know what happens in a day or so when I am able to get the disc from him.

Thanks again for taking your time to help me with this.

Wildman0420
2009-08-10, 02:52
Ok, I was able to locate an xp pro disc to use, however, it would be close to a 2 hour drive for me to pick it up. Is there any way I could use a xp home disc to repair the issue I am having? Or are the necessary files going to be too different.

Blade81
2009-08-10, 07:29
Ok, I was able to locate an xp pro disc to use, however, it would be close to a 2 hour drive for me to pick it up. Is there any way I could use a xp home disc to repair the issue I am having? Or are the necessary files going to be too different.
Hi,

It has to be xp pro disc. However, let's see if we can still manage without the media here.


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Double-click on fixes.bat file to execute it.


Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply. Then try to run MBAM and ComboFix again.

Wildman0420
2009-08-10, 18:46
Ok, I ran avenger, and it all seemed to work. (though I cannot find the text file I saved from it, even where you tell me to look.)

I was then able to run MBAM, so I did. Here is the Log file from it.

Malwarebytes' Anti-Malware 1.40
Database version: 2590
Windows 5.1.2600 Service Pack 3

8/10/2009 11:30:20 AM
mbam-log-2009-08-10 (11-30-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 293902
Time elapsed: 59 minute(s), 48 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 7
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 110

Memory Processes Infected:
C:\Documents and Settings\Tim\Local Settings\Temp\b.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\msa.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\debug.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\winlogon.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\setup.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\login.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\hs7f3uhduhfukde.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3ae6b13d-c719-43f4-b263-618928abc4ef} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a75c63ae-a9b0-45c3-bae8-ba99089043be} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d7bbb39a-d87b-4d5b-8260-15deb87ce919} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e9d340b-d614-4854-ae06-4218201f6aae} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5dc51e2a-2041-4745-97ba-1ca8c794a07f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb00583.ietoolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb00583.ietoolbar.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb00583.tbsb00583 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb00583.tbsb00583.3 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar3.tbsb00583 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar3.tbsb00583.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tbsb00583.tbsb00583toolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispyware service (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{3e9d340b-d614-4854-ae06-4218201f6aae} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Internet Explorer\LiveInfoPro (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hs7f3uhduhfukde.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Tim\Local Settings\Temp\b.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\login.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\vdashkem.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\hbywcp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1362038692.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\989062518.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\2163372088.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\login.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nicole\Local Settings\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\1190556030.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\1336660718.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\1543622870.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\1909723890.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2007231314.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2025854232.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2214331794.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\236878972.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2378517840.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2532118508.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\system.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2738655618.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2759516882.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\2908459526.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\333263258.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\3827420224.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\3864171678.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\4005487130.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\4160636022.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tim\Local Settings\Temp\4253710110.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\install.exe.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp.exe (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8XUF8L2B\yrnwkxyppq[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CDIF4P63\aasuper0[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CDIF4P63\yisfwkx[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CTIV41M3\aasuper2[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CTIV41M3\foypq[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K1YJ0L2J\bdarsj[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K1YJ0L2J\u3[1].exe (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K1YJ0L2J\dnxuh[1].htm (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\affid.dat (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\basis.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\bg.jpg (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_24.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\icons.bmp_32.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\info.txt (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfopro_v1.9.6-1008.crc (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfopro_v1.9.6-1008.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\liveinfo_logo5.gif (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\radio2.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\radio3.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\script.html (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\standart_icons.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\tbhelper.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\LiveInfoPro\version.txt (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\samsvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETbnreabeq.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETqlhmurwu.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETalnkpkpm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNEThwymdipu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\SKYNETaafvnklv.sys (Trojan.Agent) -> Quarantined and deleted successfully.




Now, however, everytime I try to run combofix, as well as any other .exe file, I get a "open with" window, asking me to choose what file to open it with. Had the same problem trying to run firefox, but luckily firefox was one of the programs on that list.

Blade81
2009-08-10, 18:58
Ok, I ran avenger, and it all seemed to work. (though I cannot find the text file I saved from it, even where you tell me to look.)
Hi,

Please see if you can find avenger.txt file with Windows Search.


Now, however, everytime I try to run combofix, as well as any other .exe file, I get a "open with" window, asking me to choose what file to open it with. Had the same problem trying to run firefox, but luckily firefox was one of the programs on that list.
Remember when I asked you to download attached zip file in post #12 (http://forums.spybot.info/showpost.php?p=327144&postcount=12)? Please download it again (if you had already removed it), extract contents to your desktop and double click .vbs file found inside. See if you're able to run ComboFix then.

Wildman0420
2009-08-10, 19:23
Ok,
the xp fix worked great, I was able to run combofix. here is the log

ComboFix 09-08-09.04 - Tim 08/10/2009 12:06.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1638 [GMT -4:00]
Running from: c:\documents and settings\Tim\Desktop\wildman.exe
AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-4956324679-8100242078-589268649-9065
c:\windows\desktop
c:\windows\desktop\Play X-Wing Alliance.lnk

----- BITS: Possible infected sites -----

hxxp://ccp.vo.llnwd.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETVPMYPDWY
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_SKYNETvpmypdwy


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-09 22:54 . 2009-08-09 22:54 0 ----a-w- c:\documents and settings\Tim\jagex_runescape_preferences.dat
2009-08-09 22:54 . 2009-08-09 22:54 -------- d-----w- c:\windows\.jagex_cache_32
2009-08-09 21:04 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-09 21:04 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-09 21:04 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-09 21:04 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-09 21:04 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-09 21:04 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-09 21:04 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-09 21:04 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-09 21:04 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-08 16:01 . 2009-08-08 16:01 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-08-08 16:01 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 16:01 . 2009-08-10 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:01 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:09 . 2009-08-08 09:09 -------- d-----w- c:\program files\trend micro
2009-08-07 05:52 . 2009-08-07 05:52 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Symantec
2009-08-07 05:48 . 2009-08-07 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-07 05:48 . 2009-08-07 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-07 05:44 . 2009-08-07 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-07 05:42 . 2009-08-07 05:50 -------- d-----w- c:\documents and settings\Tim\Application Data\GetRightToGo
2009-08-06 21:39 . 2009-08-06 21:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-06 21:31 . 2009-08-06 21:31 9021376 ----a-w- C:\windows-kb890830-v2.12.exe
2009-08-06 21:01 . 2009-08-06 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 20:08 . 2009-08-06 20:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-06 20:07 . 2009-08-06 20:07 -------- d-----w- c:\documents and settings\Tim\Application Data\PC Tools
2009-08-06 18:28 . 2009-08-06 18:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-06 14:10 . 2009-08-06 14:10 76544 ----a-w- c:\windows\system32\drivers\hnzftgwsif.sys
2009-08-06 14:01 . 2009-08-06 14:08 -------- d-----w- c:\windows\system32\CatRoot
2009-08-06 14:00 . 2009-08-06 14:20 119372 ----a-w- c:\windows\system32\drivers\527f4a3f.sys
2009-08-04 16:56 . 2009-08-04 16:56 -------- d-----w- c:\program files\City Interactive
2009-08-04 08:44 . 2009-08-07 08:38 -------- d-----w- c:\program files\Vendetta Online
2009-08-03 06:58 . 2009-08-07 08:42 -------- d-----w- c:\program files\Driving Simulator 2009
2009-07-28 09:18 . 2009-07-28 09:18 -------- d-----w- c:\documents and settings\Tim\Application Data\LucasArts
2009-07-28 09:15 . 2009-07-28 09:18 -------- d-----w- c:\program files\Secret Of Monkey Island SE
2009-07-27 07:05 . 2009-08-10 16:10 1369 --sha-w- c:\windows\system32\mmf.sys
2009-07-27 07:05 . 2009-07-27 07:05 48640 ----a-w- c:\windows\mmfs.dll
2009-07-27 07:05 . 2009-07-27 07:05 2560 ----a-w- c:\windows\Runservice.exe
2009-07-27 06:55 . 2009-07-27 06:55 -------- d-----w- c:\program files\Battlefront
2009-07-27 06:50 . 2009-07-27 06:50 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Gas Powered Games
2009-07-17 07:31 . 2009-07-17 07:31 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Ubisoft
2009-07-17 07:24 . 2009-07-17 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-07-14 04:13 . 2009-08-10 15:29 -------- d-----w- c:\documents and settings\Tim\Application Data\vlc
2009-07-14 01:41 . 2009-07-14 01:41 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\assembly
2009-07-14 01:39 . 2009-07-14 01:39 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\IsolatedStorage
2009-07-14 01:39 . 2009-07-14 01:39 -------- d-----w- c:\program files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 16:14 . 2009-01-09 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Bitmeter2
2009-08-10 16:11 . 2008-11-23 20:10 -------- d-----w- c:\program files\lg_fwupdate
2009-08-10 15:36 . 2008-12-10 08:21 -------- d-----w- c:\program files\PeerGuardian2
2009-08-10 15:19 . 2009-01-09 02:47 -------- d-----w- c:\documents and settings\Tim\Application Data\dvdcss
2009-08-10 14:26 . 2008-12-01 22:42 -------- d-----w- c:\documents and settings\Tim\Application Data\uTorrent
2009-08-09 23:28 . 2008-12-26 21:35 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-09 22:56 . 2008-12-26 21:36 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-09 19:35 . 2008-11-23 21:51 -------- d-----w- c:\program files\Paint Shop Pro 6
2009-08-07 12:24 . 2008-11-23 20:15 20056 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 09:27 . 2008-12-20 16:56 -------- d-----w- c:\program files\LimeWire
2009-08-07 08:43 . 2008-12-14 20:13 -------- d-----w- c:\program files\EA GAMES
2009-08-07 08:40 . 2009-06-02 02:16 -------- d-----w- c:\program files\Ubisoft
2009-08-07 08:40 . 2008-11-23 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-07 08:36 . 2009-07-03 05:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-08-07 08:34 . 2009-07-02 03:19 -------- d-----w- c:\program files\Nobilis
2009-08-07 08:32 . 2009-07-02 03:38 -------- d-----w- c:\program files\1C Company
2009-08-07 08:26 . 2009-07-01 08:16 -------- d-----w- c:\program files\ZenoClash
2009-08-06 22:12 . 2008-11-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-06 22:12 . 2008-11-23 21:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 21:43 . 2009-01-11 07:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 16:18 . 2009-06-16 05:14 21040 ----a-w- c:\documents and settings\Nicole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 06:07 . 2009-02-25 17:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-01 14:34 . 2008-12-20 17:00 -------- d-----w- c:\documents and settings\Tim\Application Data\LimeWire
2009-07-30 12:52 . 2009-01-14 11:40 -------- d-----w- c:\program files\Telltale Games
2009-07-28 09:51 . 2008-12-23 00:50 -------- d-----w- c:\program files\LucasArts
2009-07-19 15:45 . 2009-06-16 05:14 -------- d-----w- c:\documents and settings\Nicole\Application Data\BitMeter2
2009-07-17 05:19 . 2009-07-10 05:21 -------- d-----w- c:\program files\Velvet Assassin
2009-07-14 03:27 . 2008-11-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-09 02:31 . 2009-07-09 02:31 -------- d-----w- c:\documents and settings\Tim\Application Data\Ubisoft
2009-07-09 02:23 . 2009-03-05 00:59 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-09 02:23 . 2009-03-05 00:59 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-09 01:13 . 2008-12-26 06:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-09 00:30 . 2008-12-26 21:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-06 09:40 . 2008-11-23 22:07 -------- d-----w- c:\program files\DivX
2009-07-06 09:40 . 2009-07-03 22:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-06 07:13 . 2008-12-21 22:52 -------- d-----w- c:\program files\Codemasters
2009-07-04 21:44 . 2009-03-13 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-04 06:09 . 2009-01-26 19:46 -------- d-----w- c:\program files\Google
2009-07-03 06:49 . 2009-07-03 06:49 -------- d-----w- c:\program files\Flagship Studios
2009-07-03 05:54 . 2009-07-02 08:27 -------- d-----w- c:\program files\Sins of a Solar Empire
2009-07-03 05:52 . 2008-11-24 00:40 -------- d-----w- c:\program files\Stardock Games
2009-07-02 08:21 . 2009-06-21 09:02 -------- d-----w- c:\program files\Hinterland
2009-07-02 03:03 . 2009-07-02 03:03 -------- d-----w- c:\program files\Strategy First
2009-07-02 02:39 . 2009-07-02 02:39 -------- d-----w- c:\program files\Sierra
2009-07-01 07:39 . 2009-07-01 07:30 -------- d-----w- c:\program files\Postal2STP
2009-07-01 05:32 . 2008-12-27 19:08 -------- d-----w- c:\program files\Bethesda Softworks
2009-07-01 04:46 . 2008-12-26 06:52 -------- d-----w- c:\program files\Activision
2009-07-01 02:12 . 2009-05-10 06:23 127872 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\uninstall.exe
2009-07-01 02:12 . 2009-01-15 04:35 -------- d-----w- c:\documents and settings\Tim\Application Data\Move Networks
2009-07-01 02:12 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-07-01 02:12 . 2009-07-01 02:06 1685856 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-06-29 16:12 . 2008-04-14 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-----w- c:\program files\Common Files\DirectX
2009-06-23 07:19 . 2009-06-23 07:19 -------- d-----w- c:\program files\Mad Scientist Productions
2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-14 07:25 . 2009-06-14 07:25 126 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\fusioncache.dat
2009-06-13 20:17 . 2008-12-26 21:36 22328 ----a-w- c:\documents and settings\Tim\Application Data\PnkBstrK.sys
2009-06-13 20:17 . 2008-12-26 21:36 22328 ----a-w- c:\documents and settings\Tim\Application Data\PnkBstrK.sys
2009-06-13 20:16 . 2009-01-25 22:22 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-13 17:14 . 2009-06-13 17:14 390664 ----a-w- c:\documents and settings\Tim\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 22:28 . 2009-03-12 00:29 6442 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-05-26 17:00 . 2009-05-26 17:00 10134 ----a-r- c:\documents and settings\Tim\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[7] 2008-04-14 12:00 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\ie7updates\KB972260-IE7\wininet.dll
[-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\wininet.dll
[-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\wininet.dll
[-] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\dllcache\wininet.dll

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 12:00 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2008-04-14 12:00 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 16:24 3596288 CC9D001B7370B292C35B366CA05B12B4 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2009-02-21 07:39 3596800 1BB754AB47B327DE8DBF2FA18C36357C c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-04-29 04:49 3598336 C6FD770D518FB024245A0EE217D72BC1 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2009-07-19 13:31 3600384 F6098CC1B1C3858D53F20F3CB5774F3B c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[7] 2008-04-14 12:00 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[-] 2008-06-24 15:57 3592192 EC936148284F557F19C333178768109B c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-08-27 18:54 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-02-20 18:09 3595264 C7C3E41CC2F6EB4A629FE2184136C098 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[-] 2008-08-20 05:30 3067904 507BDA42F7DB8209C0F0B3556A043491 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\mshtml.dll
[-] 2008-08-20 04:58 3067904 BD45470B132A0F98596277323D9F2E5A c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\mshtml.dll
[-] 2008-08-27 18:54 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\mshtml.dll
[-] 2009-05-13 05:15 5936128 EEAADAA744B20E68CF5EB4FBB4F8AFA9 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\mshtml.dll
[-] 2009-05-13 05:10 5936128 1290E417BF806185CC7B2845E78A104E c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\mshtml.dll
[-] 2008-06-24 15:57 3592192 EC936148284F557F19C333178768109B c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\mshtml.dll
[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\mshtml.dll
[-] 2009-07-19 13:33 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\mshtml.dll
[-] 2009-07-19 13:33 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\dllcache\mshtml.dll

[-] 2009-02-09 10:56 401408 9222562D44021B988B9F9F62207FB6F2 c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2008-04-14 12:00 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\dllcache\rpcss.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-21 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-21 172032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-21 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-11-23 548864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-12-5 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-23 113664]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-6-29 1462272]
MFWAKeys.lnk - c:\program files\MOTU\FireWire Audio\MFWAKeys.exe [2009-2-17 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Freelancer\\EXE\\Freelancer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Documents and Settings\\Tim\\Desktop\\WiCKED-DOW2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\EA GAMES\\Mercenaries 2 World in Flames\\Mercenaries2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57533:TCP"= 57533:TCP:Pando Media Booster
"57533:UDP"= 57533:UDP:Pando Media Booster

R1 527f4a3f;527f4a3f;c:\windows\system32\drivers\527f4a3f.sys [8/6/2009 10:00 AM 119372]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/9/2009 5:04 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/9/2009 5:04 PM 20560]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/27/2009 3:05 AM 2560]
R2 lplnbrx;lplnbrx;c:\windows\system32\drivers\hnzftgwsif.sys [8/6/2009 10:10 AM 76544]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/17/2009 3:35 PM 33792]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/23/2008 4:03 PM 110080]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/6/2009 2:44 PM 22891]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2/17/2009 3:30 PM 17024]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2/17/2009 3:30 PM 22656]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2/17/2009 3:30 PM 111616]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/6/2009 2:44 PM 49024]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BD56A320-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\vjlg1qxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 12:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-2111687655-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:2f,e9,e7,8b,71,e7,b3,a8,ed,eb,4f,37,6f,c6,4e,2e,10,1a,78,bf,67,
b0,89,4e,e4,25,d5,69,0d,17,2a,2f,4a,e0,df,7c,83,2e,c5,79,bd,be,2d,49,34,5d,\
"rkeysecu"=hex:39,8e,b4,03,43,b1,cb,7f,cd,57,48,f4,e3,f0,30,67

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B7F5EA513569EA3E98352E3A3D1D6A3D]
"1"=hex:df,c7,3a,96,ab,66,13,d2,36,78,6c,b8,10,1c,c4,b0,a6,93,a9,25,23,fb,66,
2c,77,d8,5d,6a,fe,59,6e,ef
"2"=hex:84,e0,11,4a,54,77,0e,d0
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:58,eb,3b,8d,af,31,32,62,22,1b,23,79,6d,f4,12,c1,db,b4,20,3e,7f,80,2a,
0f,6a,a6,22,9f,10,4c,a5,77,df,44,a4,37,10,4b,bc,75,d7,98,0e,82,a4,8d,85,b3,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d0,f6,13,82,1b,05,61,d1,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-10 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 16:15

Pre-Run: 353,893,425,152 bytes free
Post-Run: 353,968,095,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

406 --- E O F --- 2009-07-31 07:00


Currently searching for the avenger.txt, and i'll post if I find it.

Wildman0420
2009-08-10, 19:26
No luck on finding the avenger.txt

Blade81
2009-08-10, 19:32
Ok. If Avenger log can't be found then we'll leave that thing for now.

Let's see if you're able to run DDS (http://forums.spybot.info/showpost.php?p=327046&postcount=2) too. Post back the logs.

Wildman0420
2009-08-10, 19:46
DDS (Ver_09-07-30.01) - NTFSx86
Run by Tim at 12:37:27.82 on Mon 08/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1332 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP30SP2-KB958483-x86.exe
c:\04c5c7f96ec14cf236ae2e45b0\HotFixInstaller.exe
c:\WINDOWS\system32\MsiExec.exe
c:\WINDOWS\system32\MsiExec.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
C:\Documents and Settings\Tim\Desktop\wildman.com
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\documents and settings\tim\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mfwakeys.lnk - c:\program files\motu\firewire audio\MFWAKeys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227469912828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\vjlg1qxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 527f4a3f;527f4a3f;c:\windows\system32\drivers\527f4a3f.sys [2009-8-6 119372]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-9 138680]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-7-27 2560]
R2 lplnbrx;lplnbrx;c:\windows\system32\drivers\hnzftgwsif.sys [2009-8-6 76544]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-8-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-9 352920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-17 33792]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-11-23 26488]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-23 110080]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2009-3-6 22891]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2009-2-17 17024]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2009-2-17 22656]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2009-2-17 111616]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2009-3-6 49024]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-08-10 12:37 <DIR> --d----- C:\04c5c7f96ec14cf236ae2e45b0
2009-08-10 12:30 <DIR> --d----- C:\00269b811530a16cff
2009-08-10 12:14 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-10 12:05 <DIR> a-dshr-- C:\cmdcons
2009-08-10 12:04 216,064 a------- c:\windows\PEV.exe
2009-08-10 12:04 161,792 a------- c:\windows\SWREG.exe
2009-08-10 12:04 98,816 a------- c:\windows\sed.exe
2009-08-09 18:54 0 a------- c:\documents and settings\tim\jagex_runescape_preferences.dat
2009-08-09 18:54 <DIR> --d----- c:\windows\.jagex_cache_32
2009-08-08 12:01 <DIR> --d----- c:\docume~1\tim\applic~1\Malwarebytes
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 05:09 <DIR> --d----- c:\program files\trend micro
2009-08-07 01:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-08-07 01:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-07 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-07 01:42 <DIR> --d----- c:\docume~1\tim\applic~1\GetRightToGo
2009-08-06 17:31 9,021,376 a------- C:\windows-kb890830-v2.12.exe
2009-08-06 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 16:07 <DIR> --d----- c:\docume~1\tim\applic~1\PC Tools
2009-08-06 10:10 76,544 a------- c:\windows\system32\drivers\hnzftgwsif.sys
2009-08-06 10:01 <DIR> --d----- c:\windows\system32\CatRoot
2009-08-06 10:00 119,372 a------- c:\windows\system32\drivers\527f4a3f.sys
2009-08-06 10:00 2 a------- C:\611933923
2009-08-04 12:56 <DIR> --d----- c:\program files\City Interactive
2009-08-04 04:44 <DIR> --d----- c:\program files\Vendetta Online
2009-08-03 02:58 <DIR> --d----- c:\program files\Driving Simulator 2009
2009-07-28 05:18 <DIR> --d----- c:\docume~1\tim\applic~1\LucasArts
2009-07-28 05:15 <DIR> --d----- c:\program files\Secret Of Monkey Island SE
2009-07-27 03:05 126,976 a------- c:\windows\lcmmfu.cpl
2009-07-27 03:05 1,369 a--sh--- c:\windows\system32\mmf.sys
2009-07-27 03:05 48,640 a------- c:\windows\mmfs.dll
2009-07-27 03:05 2,560 a------- c:\windows\Runservice.exe
2009-07-27 02:55 <DIR> --d----- c:\program files\Battlefront
2009-07-13 21:39 <DIR> --d----- c:\program files\Virtual Earth 3D

==================== Find3M ====================

2009-08-09 19:28 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-08-09 18:56 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-08 22:23 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-08 22:23 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-08 20:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 16:17 22,328 a------- c:\docume~1\tim\applic~1\PnkBstrK.sys
2009-06-13 16:16 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 18:28 6,442 a------- c:\windows\system32\ealregsnapshot1.reg
2006-06-24 10:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 12:37:52.31 ===============

Blade81
2009-08-10, 20:42
Hi,

Download & run Norton removal tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039) to get rid of Norton remnants.



Open notepad and copy/paste the text in the quotebox below into it:



http://forums.spybot.info/showthread.php?t=50602&page=3

Driver::
527f4a3f
lplnbrx

Collect::
c:\windows\system32\drivers\hnzftgwsif.sys
c:\windows\system32\drivers\527f4a3f.sys

File::
C:\611933923

Folder::
c:\documents and settings\Tim\Application Data\uTorrent
c:\program files\LimeWire
c:\documents and settings\Tim\Application Data\LimeWire
c:\Program Files\BitLord

DirLook::
C:\04c5c7f96ec14cf236ae2e45b0
C:\00269b811530a16cff

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

_________

Update Adobe Reader version with updates 9.1.2 + 9.1.3 here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 15 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

__________________

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Wildman0420
2009-08-11, 00:29
DDS (Ver_09-07-30.01) - NTFSx86
Run by Tim at 17:27:59.90 on Mon 08/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1421 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\runservice.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Tim\Desktop\wildman.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\documents and settings\tim\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mfwakeys.lnk - c:\program files\motu\firewire audio\MFWAKeys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227469912828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\vjlg1qxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-9 138680]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-7-27 2560]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-8-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-9 352920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-17 33792]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-23 110080]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2009-3-6 22891]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2009-2-17 17024]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2009-2-17 22656]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2009-2-17 111616]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2009-3-6 49024]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-08-10 15:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-10 15:09 <DIR> --d----- c:\documents and settings\tim\.SunDownloadManager
2009-08-10 14:42 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-08-10 14:42 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-10 14:39 <DIR> --d----- c:\program files\XBox 360 Controller for Windows Software
2009-08-10 12:33 <DIR> --d----- C:\872c84c2d43db5fa508fd58bed5c3cee
2009-08-10 12:33 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-10 12:14 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-10 12:05 <DIR> a-dshr-- C:\cmdcons
2009-08-10 12:04 216,064 a------- c:\windows\PEV.exe
2009-08-10 12:04 161,792 a------- c:\windows\SWREG.exe
2009-08-10 12:04 98,816 a------- c:\windows\sed.exe
2009-08-09 18:54 0 a------- c:\documents and settings\tim\jagex_runescape_preferences.dat
2009-08-09 18:54 <DIR> --d----- c:\windows\.jagex_cache_32
2009-08-08 12:01 <DIR> --d----- c:\docume~1\tim\applic~1\Malwarebytes
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 05:09 <DIR> --d----- c:\program files\trend micro
2009-08-07 01:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-07 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-07 01:42 <DIR> --d----- c:\docume~1\tim\applic~1\GetRightToGo
2009-08-06 17:31 9,021,376 a------- C:\windows-kb890830-v2.12.exe
2009-08-06 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 16:07 <DIR> --d----- c:\docume~1\tim\applic~1\PC Tools
2009-08-06 10:10 76,544 a------- c:\windows\system32\drivers\hnzftgwsif.sys
2009-08-06 10:01 <DIR> --d----- c:\windows\system32\CatRoot
2009-08-06 10:00 119,372 a------- c:\windows\system32\drivers\527f4a3f.sys
2009-08-06 10:00 2 a------- C:\611933923
2009-08-04 12:56 <DIR> --d----- c:\program files\City Interactive
2009-08-04 04:44 <DIR> --d----- c:\program files\Vendetta Online
2009-08-03 02:58 <DIR> --d----- c:\program files\Driving Simulator 2009
2009-07-28 05:18 <DIR> --d----- c:\docume~1\tim\applic~1\LucasArts
2009-07-28 05:15 <DIR> --d----- c:\program files\Secret Of Monkey Island SE
2009-07-27 03:05 126,976 a------- c:\windows\lcmmfu.cpl
2009-07-27 03:05 1,369 a--sh--- c:\windows\system32\mmf.sys
2009-07-27 03:05 48,640 a------- c:\windows\mmfs.dll
2009-07-27 03:05 2,560 a------- c:\windows\Runservice.exe
2009-07-27 02:55 <DIR> --d----- c:\program files\Battlefront
2009-07-13 21:39 <DIR> --d----- c:\program files\Virtual Earth 3D

==================== Find3M ====================

2009-08-10 15:11 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-09 19:28 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-08-09 18:56 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-08 22:23 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-08 22:23 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-08 20:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 16:17 22,328 a------- c:\docume~1\tim\applic~1\PnkBstrK.sys
2009-06-13 16:16 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 18:28 6,442 a------- c:\windows\system32\ealregsnapshot1.reg
2006-06-24 10:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 17:28:15.48 ===============

Blade81
2009-08-11, 18:02
Hi,

Did you do other steps yet? DDS log shows that ComboFix related steps weren't taken yet. Please do all listed there and post requested logs. Let me know if there're any problems preventing you from following the steps.

Wildman0420
2009-08-11, 22:35
Ok,
Ran your scropt through combofix, this is the log:

ComboFix 09-08-10.01 - Tim 08/11/2009 15:02.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1611 [GMT -4:00]
Running from: c:\documents and settings\Tim\Desktop\wildman.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\611933923"

file zipped: c:\windows\system32\drivers\527f4a3f.sys
file zipped: c:\windows\system32\drivers\hnzftgwsif.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?
c:\documents and settings\Tim\Application Data\uTorrent

.
((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-10 19:11 . 2009-08-10 19:11 -------- d-----w- c:\program files\Java
2009-08-10 19:09 . 2009-08-10 19:09 -------- d-----w- c:\documents and settings\Tim\.SunDownloadManager
2009-08-10 18:39 . 2009-08-10 18:39 -------- d-----w- c:\program files\XBox 360 Controller for Windows Software
2009-08-10 16:33 . 2009-08-10 16:33 -------- d-----w- C:\872c84c2d43db5fa508fd58bed5c3cee
2009-08-10 16:33 . 2009-08-10 16:40 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 22:54 . 2009-08-09 22:54 0 ----a-w- c:\documents and settings\Tim\jagex_runescape_preferences.dat
2009-08-09 22:54 . 2009-08-09 22:54 -------- d-----w- c:\windows\.jagex_cache_32
2009-08-09 21:04 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-09 21:04 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-09 21:04 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-09 21:04 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-09 21:04 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-09 21:04 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-09 21:04 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-09 21:04 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-09 21:04 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-08 16:01 . 2009-08-08 16:01 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-08-08 16:01 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 16:01 . 2009-08-10 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:01 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:09 . 2009-08-08 09:09 -------- d-----w- c:\program files\trend micro
2009-08-07 05:52 . 2009-08-07 05:52 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Symantec
2009-08-07 05:48 . 2009-08-07 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-07 05:44 . 2009-08-10 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-07 05:42 . 2009-08-07 05:50 -------- d-----w- c:\documents and settings\Tim\Application Data\GetRightToGo
2009-08-06 21:39 . 2009-08-06 21:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-06 21:31 . 2009-08-06 21:31 9021376 ----a-w- C:\windows-kb890830-v2.12.exe
2009-08-06 21:01 . 2009-08-06 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 20:07 . 2009-08-06 20:07 -------- d-----w- c:\documents and settings\Tim\Application Data\PC Tools
2009-08-06 18:28 . 2009-08-06 18:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-06 14:10 . 2009-08-11 19:02 76544 ----a-w- c:\windows\system32\drivers\hnzftgwsif.sys
2009-08-06 14:01 . 2009-08-06 14:08 -------- d-----w- c:\windows\system32\CatRoot
2009-08-06 14:00 . 2009-08-11 19:02 119372 ----a-w- c:\windows\system32\drivers\527f4a3f.sys
2009-08-04 16:56 . 2009-08-04 16:56 -------- d-----w- c:\program files\City Interactive
2009-08-04 08:44 . 2009-08-07 08:38 -------- d-----w- c:\program files\Vendetta Online
2009-08-03 06:58 . 2009-08-07 08:42 -------- d-----w- c:\program files\Driving Simulator 2009
2009-07-28 09:18 . 2009-07-28 09:18 -------- d-----w- c:\documents and settings\Tim\Application Data\LucasArts
2009-07-28 09:15 . 2009-07-28 09:18 -------- d-----w- c:\program files\Secret Of Monkey Island SE
2009-07-27 07:05 . 2009-08-11 12:58 1369 --sha-w- c:\windows\system32\mmf.sys
2009-07-27 07:05 . 2009-07-27 07:05 48640 ----a-w- c:\windows\mmfs.dll
2009-07-27 07:05 . 2009-07-27 07:05 2560 ----a-w- c:\windows\Runservice.exe
2009-07-27 06:55 . 2009-07-27 06:55 -------- d-----w- c:\program files\Battlefront
2009-07-27 06:50 . 2009-07-27 06:50 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Gas Powered Games
2009-07-17 07:31 . 2009-07-17 07:31 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Ubisoft
2009-07-17 07:24 . 2009-07-17 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-07-14 04:13 . 2009-08-11 16:35 -------- d-----w- c:\documents and settings\Tim\Application Data\vlc
2009-07-14 01:41 . 2009-07-14 01:41 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\assembly
2009-07-14 01:39 . 2009-07-14 01:39 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\IsolatedStorage
2009-07-14 01:39 . 2009-07-14 01:39 -------- d-----w- c:\program files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 19:07 . 2009-01-09 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Bitmeter2
2009-08-11 19:07 . 2008-12-10 08:21 -------- d-----w- c:\program files\PeerGuardian2
2009-08-11 18:57 . 2008-11-23 21:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 18:57 . 2008-11-23 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 16:40 . 2008-11-23 21:51 -------- d-----w- c:\program files\Paint Shop Pro 6
2009-08-11 13:01 . 2008-11-23 20:10 -------- d-----w- c:\program files\lg_fwupdate
2009-08-10 21:40 . 2009-01-09 02:47 -------- d-----w- c:\documents and settings\Tim\Application Data\dvdcss
2009-08-10 19:11 . 2008-12-20 16:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 19:05 . 2008-11-23 21:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-10 18:42 . 2009-08-10 18:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-08-10 18:42 . 2009-08-10 18:42 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-10 16:41 . 2008-11-23 20:15 20056 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 23:28 . 2008-12-26 21:35 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-09 22:56 . 2008-12-26 21:36 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-07 08:43 . 2008-12-14 20:13 -------- d-----w- c:\program files\EA GAMES
2009-08-07 08:40 . 2009-06-02 02:16 -------- d-----w- c:\program files\Ubisoft
2009-08-07 08:40 . 2008-11-23 19:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-07 08:36 . 2009-07-03 05:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2009-08-07 08:34 . 2009-07-02 03:19 -------- d-----w- c:\program files\Nobilis
2009-08-07 08:32 . 2009-07-02 03:38 -------- d-----w- c:\program files\1C Company
2009-08-07 08:26 . 2009-07-01 08:16 -------- d-----w- c:\program files\ZenoClash
2009-08-06 21:43 . 2009-01-11 07:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 16:18 . 2009-06-16 05:14 21040 ----a-w- c:\documents and settings\Nicole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 06:07 . 2009-02-25 17:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 12:52 . 2009-01-14 11:40 -------- d-----w- c:\program files\Telltale Games
2009-07-28 09:51 . 2008-12-23 00:50 -------- d-----w- c:\program files\LucasArts
2009-07-19 15:45 . 2009-06-16 05:14 -------- d-----w- c:\documents and settings\Nicole\Application Data\BitMeter2
2009-07-17 05:19 . 2009-07-10 05:21 -------- d-----w- c:\program files\Velvet Assassin
2009-07-09 02:31 . 2009-07-09 02:31 -------- d-----w- c:\documents and settings\Tim\Application Data\Ubisoft
2009-07-09 02:23 . 2009-03-05 00:59 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-09 02:23 . 2009-03-05 00:59 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-09 01:13 . 2008-12-26 06:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-09 00:30 . 2008-12-26 21:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-06 09:40 . 2008-11-23 22:07 -------- d-----w- c:\program files\DivX
2009-07-06 09:40 . 2009-07-03 22:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-06 07:13 . 2008-12-21 22:52 -------- d-----w- c:\program files\Codemasters
2009-07-04 21:44 . 2009-03-13 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-04 06:09 . 2009-01-26 19:46 -------- d-----w- c:\program files\Google
2009-07-03 06:49 . 2009-07-03 06:49 -------- d-----w- c:\program files\Flagship Studios
2009-07-03 05:54 . 2009-07-02 08:27 -------- d-----w- c:\program files\Sins of a Solar Empire
2009-07-03 05:52 . 2008-11-24 00:40 -------- d-----w- c:\program files\Stardock Games
2009-07-02 08:21 . 2009-06-21 09:02 -------- d-----w- c:\program files\Hinterland
2009-07-02 03:03 . 2009-07-02 03:03 -------- d-----w- c:\program files\Strategy First
2009-07-02 02:39 . 2009-07-02 02:39 -------- d-----w- c:\program files\Sierra
2009-07-01 07:39 . 2009-07-01 07:30 -------- d-----w- c:\program files\Postal2STP
2009-07-01 05:32 . 2008-12-27 19:08 -------- d-----w- c:\program files\Bethesda Softworks
2009-07-01 04:46 . 2008-12-26 06:52 -------- d-----w- c:\program files\Activision
2009-07-01 02:12 . 2009-05-10 06:23 127872 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\uninstall.exe
2009-07-01 02:12 . 2009-01-15 04:35 -------- d-----w- c:\documents and settings\Tim\Application Data\Move Networks
2009-07-01 02:12 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-07-01 02:12 . 2009-07-01 02:06 1685856 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\MoveMediaPlayerWinSilent_071503000010.exe
2009-06-29 16:12 . 2008-04-14 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-----w- c:\program files\Common Files\DirectX
2009-06-23 07:19 . 2009-06-23 07:19 -------- d-----w- c:\program files\Mad Scientist Productions
2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Tim\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-14 07:25 . 2009-06-14 07:25 126 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\fusioncache.dat
2009-06-13 20:17 . 2008-12-26 21:36 22328 ----a-w- c:\documents and settings\Tim\Application Data\PnkBstrK.sys
2009-06-13 20:17 . 2008-12-26 21:36 22328 ----a-w- c:\documents and settings\Tim\Application Data\PnkBstrK.sys
2009-06-13 20:16 . 2009-01-25 22:22 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-13 17:14 . 2009-06-13 17:14 390664 ----a-w- c:\documents and settings\Tim\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 22:28 . 2009-03-12 00:29 6442 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-05-26 17:00 . 2009-05-26 17:00 10134 ----a-r- c:\documents and settings\Tim\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\00269b811530a16cff ----


---- Directory of C:\04c5c7f96ec14cf236ae2e45b0 ----



------- Sigcheck -------

[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[7] 2008-04-14 12:00 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\ie7updates\KB972260-IE7\wininet.dll
[-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\wininet.dll
[-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\wininet.dll
[-] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\wininet.dll
[-] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll
[-] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\system32\dllcache\wininet.dll

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 12:00 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2008-04-14 12:00 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24 3595264 B74F31A4BD83797D7A083F922169287D c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26 3594752 C79FAD61CD4A26ED5AA8C16D991C6FBD c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 16:24 3596288 CC9D001B7370B292C35B366CA05B12B4 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2009-02-21 07:39 3596800 1BB754AB47B327DE8DBF2FA18C36357C c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-04-29 04:49 3598336 C6FD770D518FB024245A0EE217D72BC1 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2009-07-19 13:31 3600384 F6098CC1B1C3858D53F20F3CB5774F3B c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[7] 2008-04-14 12:00 3066880 A706E122B398FE1AB85CB9B75D044223 c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54 3578368 C6EC2493346ED8888A549F59210A8ED3 c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[-] 2008-06-24 15:57 3592192 EC936148284F557F19C333178768109B c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-08-27 18:54 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08 3593216 EACAEDEF6FA2A969DE5B36190D45396F c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40 3593216 121EC39A64D64205A88C2C45B034B455 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2009-01-17 02:35 3594752 3B413267DA8AE71C20E5EF3E54F74728 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-02-20 18:09 3595264 C7C3E41CC2F6EB4A629FE2184136C098 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-04-29 04:56 3596288 2B4315EC9E3124408A2A5074C4B97700 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[-] 2008-08-20 05:30 3067904 507BDA42F7DB8209C0F0B3556A043491 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\mshtml.dll
[-] 2008-08-20 04:58 3067904 BD45470B132A0F98596277323D9F2E5A c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\mshtml.dll
[-] 2008-08-27 18:54 3593216 1AD035E04A7068EC2820B055A3131ED8 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\mshtml.dll
[-] 2008-08-26 09:08 3594752 25CC085720EE3617FD1F8AB9E2F7CAB2 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\mshtml.dll
[-] 2009-05-13 05:15 5936128 EEAADAA744B20E68CF5EB4FBB4F8AFA9 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\mshtml.dll
[-] 2009-05-13 05:10 5936128 1290E417BF806185CC7B2845E78A104E c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\mshtml.dll
[-] 2008-06-24 15:57 3592192 EC936148284F557F19C333178768109B c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\mshtml.dll
[-] 2008-06-23 16:01 3594240 28B8231CA8D55FC85E027A57C90F5C88 c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\mshtml.dll
[-] 2009-07-19 13:33 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\mshtml.dll
[-] 2009-07-19 13:33 3597824 758C8BEDAB7CE5F9070C85E2E57CBD80 c:\windows\system32\dllcache\mshtml.dll

[-] 2009-02-09 10:56 401408 9222562D44021B988B9F9F62207FB6F2 c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2008-04-14 12:00 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\dllcache\rpcss.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-08-10_18.55.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-08-10 18:55 . 2009-08-10 18:55 16384 c:\windows\Temp\Perflib_Perfdata_7d4.dat
+ 2009-08-11 12:58 . 2009-08-11 12:58 16384 c:\windows\Temp\Perflib_Perfdata_7d4.dat
+ 2009-08-11 12:58 . 2009-08-11 12:58 16384 c:\windows\Temp\Perflib_Perfdata_5b4.dat
- 2008-11-29 02:02 . 2009-06-01 21:12 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-08-10 19:07 . 2009-08-11 14:51 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-10 19:11 . 2009-08-10 19:11 149280 c:\windows\system32\javaws.exe
+ 2009-08-10 19:11 . 2009-08-10 19:11 145184 c:\windows\system32\javaw.exe
+ 2009-08-10 19:11 . 2009-08-10 19:11 145184 c:\windows\system32\java.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-08-10 19:11 . 2009-08-10 19:11 1757696 c:\windows\Installer\84716.msi
+ 2009-08-10 19:05 . 2009-08-10 19:05 3938816 c:\windows\Installer\844ab.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-21 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-21 172032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-21 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-11-23 548864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-12-5 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-23 113664]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-6-29 1462272]
MFWAKeys.lnk - c:\program files\MOTU\FireWire Audio\MFWAKeys.exe [2009-2-17 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Freelancer\\EXE\\Freelancer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Documents and Settings\\Tim\\Desktop\\WiCKED-DOW2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\EA GAMES\\Mercenaries 2 World in Flames\\Mercenaries2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57533:TCP"= 57533:TCP:Pando Media Booster
"57533:UDP"= 57533:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"= c:\program files\Windows Media Player\wmplayer.exe:*:Disabled:Windows Media Player
"c:\\Program Files\\Freelancer\\EXE\\Freelancer.exe"= c:\program files\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer
"c:\\WINDOWS\\system32\\PnkBstrA.exe"= c:\windows\system32\PnkBstrA.exe:*:Enabled:PnkBstrA
"c:\\WINDOWS\\system32\\PnkBstrB.exe"= c:\windows\system32\PnkBstrB.exe:*:Enabled:PnkBstrB
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)
"c:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"= c:\program files\Codemasters\DiRT\DiRT.exe:*:Disabled:DiRT Executable
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"= c:\program files\Codemasters\GRID\GRID.exe:*:Enabled:GRID
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"= c:\program files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= c:\program files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player
"c:\\Documents and Settings\\Tim\\Desktop\\WiCKED-DOW2\\DOW2.exe"= c:\documents and settings\Tim\Desktop\WiCKED-DOW2\DOW2.exe:*:Disabled:DOW2
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= c:\program files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary
"c:\\Program Files\\EA GAMES\\Mercenaries 2 World in Flames\\Mercenaries2.exe"= c:\program files\EA GAMES\Mercenaries 2 World in Flames\Mercenaries2.exe:*:Enabled:Mercenaries 2: World in Flames
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"= c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"= c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"= c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= c:\program files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP"= 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"57533:TCP"= 57533:TCP:*:Enabled:Pando Media Booster
"57533:UDP"= 57533:UDP:*:Enabled:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/9/2009 5:04 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/9/2009 5:04 PM 20560]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/27/2009 3:05 AM 2560]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2/17/2009 3:35 PM 33792]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/23/2008 4:03 PM 110080]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/6/2009 2:44 PM 22891]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2/17/2009 3:30 PM 17024]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2/17/2009 3:30 PM 22656]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2/17/2009 3:30 PM 111616]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [3/6/2009 2:44 PM 49024]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts

.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\vjlg1qxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-2111687655-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:2f,e9,e7,8b,71,e7,b3,a8,ed,eb,4f,37,6f,c6,4e,2e,10,1a,78,bf,67,
b0,89,4e,e4,25,d5,69,0d,17,2a,2f,4a,e0,df,7c,83,2e,c5,79,bd,be,2d,49,34,5d,\
"rkeysecu"=hex:39,8e,b4,03,43,b1,cb,7f,cd,57,48,f4,e3,f0,30,67

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"

[HKEY_LOCAL_MACHINE\softwareSoftware\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\softwareSoftware\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B7F5EA513569EA3E98352E3A3D1D6A3D]
"1"=hex:df,c7,3a,96,ab,66,13,d2,36,78,6c,b8,10,1c,c4,b0,a6,93,a9,25,23,fb,66,
2c,77,d8,5d,6a,fe,59,6e,ef
"2"=hex:84,e0,11,4a,54,77,0e,d0
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:58,eb,3b,8d,af,31,32,62,22,1b,23,79,6d,f4,12,c1,db,b4,20,3e,7f,80,2a,
0f,6a,a6,22,9f,10,4c,a5,77,df,44,a4,37,10,4b,bc,75,d7,98,0e,82,a4,8d,85,b3,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d0,f6,13,82,1b,05,61,d1,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-08-11 15:10
ComboFix-quarantined-files.txt 2009-08-11 19:10
ComboFix2.txt 2009-08-10 19:00
ComboFix3.txt 2009-08-10 16:15

Pre-Run: 339,019,460,608 bytes free
Post-Run: 339,058,253,824 bytes free

430 --- E O F --- 2009-08-10 16:38
Upload was successful


After I ran this, I couldn't get internet to run. I'd try to go to control panle to netowrk connections, and it would freeze. I did a restore to the latest point and then ran a dds.

Wildman0420
2009-08-11, 22:37
DDS (Ver_09-07-30.01) - NTFSx86
Run by Tim at 15:31:28.34 on Tue 08/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1368 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\runservice.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tim\Desktop\wildman.com
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\documents and settings\tim\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mfwakeys.lnk - c:\program files\motu\firewire audio\MFWAKeys.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227469912828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\vjlg1qxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\tim\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-8-9 138680]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2009-7-27 2560]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-8-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-8-9 352920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-17 33792]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-23 110080]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2009-3-6 22891]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2009-2-17 17024]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWave.sys [2009-2-17 22656]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2009-2-17 111616]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2009-3-6 49024]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-08-11 15:28 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-11 15:13 <DIR> --d----- C:\RECYCLER(2)
2009-08-10 15:09 <DIR> --d----- c:\documents and settings\tim\.SunDownloadManager
2009-08-10 14:42 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-08-10 14:42 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-10 14:39 <DIR> --d----- c:\program files\XBox 360 Controller for Windows Software
2009-08-10 12:33 <DIR> --d----- C:\872c84c2d43db5fa508fd58bed5c3cee
2009-08-10 12:33 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-10 12:14 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-10 12:05 <DIR> a-dshr-- C:\cmdcons
2009-08-10 12:04 216,064 a------- c:\windows\PEV.exe
2009-08-10 12:04 161,792 a------- c:\windows\SWREG.exe
2009-08-10 12:04 98,816 a------- c:\windows\sed.exe
2009-08-09 18:54 0 a------- c:\documents and settings\tim\jagex_runescape_preferences.dat
2009-08-09 18:54 <DIR> --d----- c:\windows\.jagex_cache_32
2009-08-08 12:01 <DIR> --d----- c:\docume~1\tim\applic~1\Malwarebytes
2009-08-08 12:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 12:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 12:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 05:09 <DIR> --d----- c:\program files\trend micro
2009-08-07 01:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-07 01:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-07 01:42 <DIR> --d----- c:\docume~1\tim\applic~1\GetRightToGo
2009-08-06 17:31 9,021,376 a------- C:\windows-kb890830-v2.12.exe
2009-08-06 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 16:07 <DIR> --d----- c:\docume~1\tim\applic~1\PC Tools
2009-08-06 10:10 76,544 a------- c:\windows\system32\drivers\hnzftgwsif.sys
2009-08-06 10:01 <DIR> --d----- c:\windows\system32\CatRoot
2009-08-06 10:00 119,372 a------- c:\windows\system32\drivers\527f4a3f.sys
2009-08-06 10:00 2 a------- C:\611933923
2009-08-04 12:56 <DIR> --d----- c:\program files\City Interactive
2009-08-04 04:44 <DIR> --d----- c:\program files\Vendetta Online
2009-08-03 02:58 <DIR> --d----- c:\program files\Driving Simulator 2009
2009-07-28 05:18 <DIR> --d----- c:\docume~1\tim\applic~1\LucasArts
2009-07-28 05:15 <DIR> --d----- c:\program files\Secret Of Monkey Island SE
2009-07-27 03:05 126,976 a------- c:\windows\lcmmfu.cpl
2009-07-27 03:05 1,369 a--sh--- c:\windows\system32\mmf.sys
2009-07-27 03:05 1,369 a--sh--- c:\windows\system32\mmf(2).sys
2009-07-27 03:05 48,640 a------- c:\windows\mmfs.dll
2009-07-27 03:05 2,560 a------- c:\windows\Runservice.exe
2009-07-27 02:55 <DIR> --d----- c:\program files\Battlefront
2009-07-13 21:39 <DIR> --d----- c:\program files\Virtual Earth 3D

==================== Find3M ====================

2009-08-09 19:28 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-08-09 18:56 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-08 22:23 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-08 22:23 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-08 20:30 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 16:17 22,328 a------- c:\docume~1\tim\applic~1\PnkBstrK.sys
2009-06-13 16:16 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 18:28 6,442 a------- c:\windows\system32\ealregsnapshot1.reg
2006-06-24 10:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:32:05.59 ===============

Blade81
2009-08-12, 07:29
Hi,

Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\drivers\hnzftgwsif.sys
c:\windows\system32\drivers\527f4a3f.sys
C:\611933923



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Kaspersky online scanner seems to have issues on vendor side so I'm asking you to use alternative scanner.

Download the latest version of Kaspersky Virus Removal Tool (ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool)

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Blade81
2009-08-19, 18:23
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.