PDA

View Full Version : Infection will not allow Spybot or HJT to run



ARCHellraiser
2009-09-19, 21:01
*Was downloading a game from download site.
* Hit download and the site dippapeared and nothing happen (i thought)
*Checked Task manager and saw my processor running at 100%+
* Saw a new file running msb.exe
* quickly goggled it and saw it was BAD
*Killed it in task manager. run time on system about 5 mins
* started Spybot started got updates and went to start scan.
*started scan and Spybot shut down
*tried to start it again and I got this Error
Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item
I was logged in as Admin
*Tried malwarebytes same thing started and shutdown.
* followed your "do this before you post"
* Tried to start it from the folder got the same error as above.
*shut down tea timer via task manager
*installed and run ERUNT
Installed and ran HJT, it created the log but then just shut down and dissapperaed and cannot find log ( i saw it being made) and now when i
try to start it I get the same error as above.
* all other program work Firefox and many apps but i know there was damage done.
Please advise "Next Step"

thanks
HR

ken545
2009-09-21, 02:45
Hello

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)

While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Your infected with one of the lastest Rootkits:red:


Click Start>Run and type or copy and paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it has finished, post the log it produces.

ARCHellraiser
2009-09-21, 14:02
Thank-you for the help...
HR

Starting up...
Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P181.tmp\ZAP181.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P25C.tmp\ZAP25C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
P29A.tmp\ZAP29A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZA
PD6.tmp\ZAPD6.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cluster\Cluster
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F2
31838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C6
48A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3
D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporar
y ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoi
nt
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKU
s
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Do
wnloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Def
ault
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\
Registered
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microso
ft Corporation)
[1] 2004-08-04 00:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\logevent(2).dll (Microsoft Cor
poration)
[2] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corpor
ation)
[2] 2004-08-04 00:56:44 55808 C:\System Volume Information\_restore{E8C97C42-271
1-4945-B781-C17D3D4E92AD}\RP95\A0018854.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

Finished! Press any key to exit...

ken545
2009-09-21, 14:30
Hi,

Make sure you still have Win32KDiag.exe on your desktop, if not redownload it to your desktop, don't run it yet, just want to make sure its still there


Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)



Then run this tool
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



Delete the old notepad script from this and then run this script again

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


Post the exehelper log and the new win32kdiag log from the script you just ran

ARCHellraiser
2009-09-22, 01:34
evening just got home from work
here are the logs. Had no errors when running

exeHelper by Raktor - 09
Build 20090919
Run at 18:24:13 on 09/21/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Killed process a.exe
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--




Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP181.tmp\ZAP181.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25C.tmp\ZAP25C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP29A.tmp\ZAP29A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\ZAPD6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cluster\Cluster

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 00:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\logevent(2).dll (Microsoft Corporation)

[2] 2004-08-04 00:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!


Thanks

HR

ken545
2009-09-22, 02:42
Those mountpoints should have been removed

Lets do this..

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ARCHellraiser
2009-09-22, 04:43
As directed ..
here is log

tried to run HJT BUT
Got the same error as before
"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

ComboFix 09-09-20.04 - Administrator 09/21/2009 21:21.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.734 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\KenFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\WMEncoder.msi

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-19 04:09 . 2009-09-19 04:09 -------- d-----w- c:\program files\Trend Micro
2009-09-19 04:05 . 2009-09-19 04:05 -------- d-----w- c:\program files\ERUNT
2009-09-17 04:13 . 2009-09-21 22:04 -------- d--h--w- c:\windows\PIF
2009-09-17 03:51 . 2009-09-17 04:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 02:57 . 2009-09-17 02:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MalwareRemovalBot
2009-09-17 01:29 . 2009-09-21 22:04 0 ----a-r- c:\windows\win32k.sys
2009-09-08 03:32 . 2009-09-08 03:32 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-09-06 00:03 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-06 00:03 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-02 21:30 . 2009-09-04 03:55 -------- d-----w- C:\Fraps
2009-09-02 15:39 . 2009-09-08 03:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-02 15:33 . 2009-09-02 15:33 -------- d-----w- c:\windows\system32\URTTEMP
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\windows\system32\windows media
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\program files\Windows Media Components
2009-08-29 15:12 . 2009-08-29 15:12 0 ----a-w- c:\windows\nsreg.dat
2009-08-29 15:12 . 2009-08-29 15:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 11:19 . 2009-08-29 11:19 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-28 02:54 . 2009-08-28 02:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-28 02:28 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-28 02:28 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-28 00:39 . 2009-08-28 00:39 1329709 ----a-w- c:\windows\Recorder.reg
2009-08-28 00:38 . 2009-08-28 00:38 -------- d-----w- c:\program files\Common Files\Fellowes
2009-08-28 00:37 . 2009-08-28 00:38 -------- d-----w- c:\program files\Pinnacle
2009-08-28 00:23 . 1997-12-23 01:02 23936 ----a-w- c:\windows\system32\drivers\aspi32.sys
2009-08-28 00:23 . 1997-12-23 00:23 5600 ----a-w- c:\windows\system\winaspi.dll
2009-08-28 00:23 . 1997-12-23 00:23 4672 ----a-w- c:\windows\system\wowpost.exe
2009-08-28 00:23 . 1997-12-23 00:23 48128 ----a-w- c:\windows\system32\wnaspi32.dll
2009-08-28 00:23 . 1999-07-07 21:32 138240 ----a-w- c:\windows\system32\Viasetup.dll
2009-08-28 00:23 . 1999-06-29 21:15 25264 ----a-w- c:\windows\system32\ivimci.drv
2009-08-28 00:23 . 1999-08-23 03:00 884736 ----a-w- c:\windows\system32\ivimci32.dll
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 10:47 . 2009-08-25 10:53 -------- d-----w- C:\Cracker
2009-08-23 02:10 . 2003-10-13 13:05 45056 ----a-w- c:\windows\shicoxp.exe
2009-08-23 02:10 . 2003-02-25 22:29 32768 ----a-w- c:\windows\system32\caili.exe
2009-08-23 02:10 . 2002-09-18 16:44 159788 ----a-w- c:\windows\DelKey.exe
2009-08-23 02:10 . 2002-03-05 16:30 90149 ----a-w- c:\windows\Delvid.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 15:56 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-09-20 13:32 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:32 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2009-09-17 04:16 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-17 03:35 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-09-13 12:43 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2009-09-02 12:24 . 2007-04-30 20:03 28368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 12:24 . 2009-08-12 03:31 -------- d-----w- c:\program files\Microsoft
2009-08-28 05:11 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-08-28 05:11 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-08-28 05:11 . 2009-08-14 06:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-08-28 00:27 . 2007-04-30 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-08-25 05:05 . 2007-04-30 21:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-23 02:10 . 2007-04-30 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 15:31 . 2009-08-22 15:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----r- c:\program files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Common Files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\teamspeak2
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-08-22 02:34 . 2009-08-22 02:33 -------- d-----w- c:\program files\Good_Fox
2009-08-22 00:49 . 2009-08-22 00:49 -------- d-----w- c:\program files\Fox
2009-08-20 00:51 . 2009-08-20 00:50 -------- d-----w- c:\program files\Realtek AC97
2009-08-19 03:12 . 2009-08-19 03:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Blitware
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 19:40 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2009-08-14 19:14 . 2009-08-14 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-08-14 18:37 . 2009-08-14 18:37 -------- d-----w- c:\program files\directx
2009-08-14 15:53 . 2009-08-14 15:53 -------- d-----w- c:\documents and settings\roth\Application Data\ATI
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-14 05:11 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-14 05:10 . 2009-08-14 05:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-14 05:06 . 2007-04-30 19:46 16168 ----a-w- c:\documents and settings\roth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 03:43 . 2009-08-12 03:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-08-12 03:30 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-12 03:14 . 2009-08-12 03:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-12 03:10 . 2009-08-12 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-12 02:38 . 2009-08-12 02:38 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 10:30 . 2009-08-09 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-09 10:30 . 2009-08-09 10:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-08-05 09:11 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-29 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 04:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2006-03-04 03:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 04:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 04:56 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 04:56 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 04:56 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 04:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 04:56 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 04:56 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 04:56 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 04:56 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 04:56 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 04:56 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 04:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-04 04:56 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 04:56 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 04:56 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 04:56 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 04:56 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 04:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/14/2009 1:11 AM 55152]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.0.9.13\DriverRobot.exe [2009-08-19 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 21:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\msdtc.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UltraVNC\winvnc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-22 21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 01:28

Pre-Run: 58,183,778,304 bytes free
Post-Run: 59,681,898,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

254


Thanks
HR

ken545
2009-09-22, 11:19
Good Morning,

Are you sure that you posted the second log from win32kdiag with the script and not the first one you ran ?

I have a lot to look over on your Combofix log, in the meantime do this.

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please





Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

ARCHellraiser
2009-09-22, 13:53
Morning..
Yes posted log file from win32kdiag Created
Yesterday, September 21, 2009, 6:28:40 PM
as instructed posted results of todays requested.



Malwarebytes Log:[/U]

Malwarebytes' Anti-Malware 1.41
Database version: 2842
Windows 5.1.2600 Service Pack 2

9/22/2009 6:19:06 AM
mbam-log-2009-09-22 (06-19-06).txt

Scan type: Quick Scan
Objects scanned: 104848
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Log\2009 Sep 16 - 10_57_11 PM_187.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.


[U]RSIT Logs

info.txt logfile of random's system information tool 1.06 2009-09-22 06:35:06

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint-->MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Aliens vs. Predator 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}\SETUP.EXE"
ATECH FLASH PRO-9-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5E4F342-4ED4-489E-B0EC-0391248FB774}\Setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Community Clips from Microsoft Office Labs-->MsiExec.exe /I{87F54A80-158E-436C-9B09-FFFD27F81BD4}
Continuum-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC6CD724-3D9F-11D5-80D7-00104BD1A098}\setup.exe" -l0x9 UNINSTALL -removeonly
Driver Robot 1.1.0.3-->"C:\Program Files\Driver Robot\1.1.0.3\unins000.exe"
EPISUITE SDK Redistribution-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\G&A Imaging Ltd\episuite sdk\5.0\EPISdk.isu" -c"C:\Program Files\G&A Imaging Ltd\episuite sdk\5.0\EPIInst.dll"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FaxTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Fraps (remove only)-->"C:\Fraps\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Junk Mail filter update-->MsiExec.exe /I{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}
Lexmark X1100 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
Logitech MouseWare 9.79.1 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaShow 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Broadband Networking-->MsiExec.exe /I{06B2B442-19FE-4398-BD4B-F5C00928DD8E}
Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Search Enhancement Pack-->MsiExec.exe /I{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft XML Parser and SDK-->MsiExec.exe /I{35343FF7-939B-401A-87B3-FF90A5123D88}
Mozilla Firefox (3.5.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Pinnacle InstantCD/DVD Suite-->MsiExec.exe /I{A8A7ACEF-A7AF-4129-9BC1-4F33A4C31EEC}
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerStarter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for Windows Media Encoder (KB954156)-->"C:\WINDOWS\$NtUninstallKB954156_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Sentinel System Driver 5.41.1 (32-bit)-->MsiExec.exe /I{5081528F-5DD5-49BA-8213-9A6A13502497}
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TAC Video Layout Control-->MsiExec.exe /I{75F9640C-DE21-40AF-92E2-06DFD821C7EE}
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
UltraVNC v1.0.2-->"C:\Program Files\UltraVNC\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Family Safety-->MsiExec.exe /X{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Photo Gallery-->MsiExec.exe /X{3C52E7DA-C431-4239-B66B-1BF703D5B194}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"

======System event log======

Computer Name: EDMASTER
Event Code: 7001
Message: The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.


Record Number: 62
Source Name: Service Control Manager
Time Written: 20090916224806.000000-240
Event Type: error
User:

Computer Name: EDMASTER
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Record Number: 61
Source Name: DCOM
Time Written: 20090916224708.000000-240
Event Type: error
User: EDMASTER\Administrator

Computer Name: EDMASTER
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Record Number: 60
Source Name: DCOM
Time Written: 20090916224645.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: EDMASTER
Event Code: 7001
Message: The vnccom service depends on the vncdrv service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


Record Number: 35
Source Name: Service Control Manager
Time Written: 20090916223830.000000-240
Event Type: error
User:

Computer Name: EDMASTER
Event Code: 7001
Message: The vnccom service depends on the vncdrv service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


Record Number: 9
Source Name: Service Control Manager
Time Written: 20090916223504.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Integral\Common Files;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 95 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=5f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------



Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-22 06:34:56
Microsoft Windows XP Professional Service Pack 2
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 1023 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:03 AM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250042906984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250226036234
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 6222 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Driver Robot.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-07-15 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"=regsvr32 /s mqrt.dll []
"Lexmark X1100 Series"=C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe [2003-03-28 57344]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe [2003-03-12 836096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareRemovalBot]
C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe [2003-05-28 394240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopRock]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
C:\WINDOWS\system32\PSDrvCheck.exe [2003-05-28 394240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe [2003-10-13 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBID]
C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe [2003-03-31 147968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
C:\Program Files\UltraVNC\winvnc.exe [2006-06-18 712704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
C:\PROGRA~1\Xfire\Xfire.exe [2009-09-03 3111824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2007-05-11 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Broadband Networking.lnk -

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe"="C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe:*:Enabled:AVP2 Stand-Alone Server"
"C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe"="C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe:*:Enabled:Client"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2009-09-22 06:34:56 ----D---- C:\rsit
2009-09-22 06:14:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-21 21:37:03 ----SHD---- C:\RECYCLER
2009-09-21 21:28:16 ----D---- C:\WINDOWS\temp
2009-09-21 21:28:14 ----A---- C:\ComboFix.txt
2009-09-21 21:20:21 ----A---- C:\Boot.bak
2009-09-21 21:20:18 ----RASHD---- C:\cmdcons
2009-09-21 21:19:17 ----A---- C:\WINDOWS\zip.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWSC.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWREG.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\sed.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\PEV.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\grep.exe
2009-09-21 21:17:05 ----D---- C:\Qoobox
2009-09-19 00:09:58 ----D---- C:\Program Files\Trend Micro
2009-09-19 00:06:43 ----D---- C:\WINDOWS\ERDNT
2009-09-19 00:05:10 ----D---- C:\Program Files\ERUNT
2009-09-17 00:13:24 ----HD---- C:\WINDOWS\PIF
2009-09-16 23:51:38 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-16 23:35:46 ----D---- C:\Config.Msi
2009-09-16 22:46:13 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-05 20:03:07 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-09-05 20:03:07 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-09-03 14:07:10 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-09-02 17:30:35 ----D---- C:\Fraps
2009-09-02 11:34:19 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-09-02 11:34:14 ----HDC---- C:\WINDOWS\$NtUninstallKB954156_WM9L$
2009-09-02 11:33:45 ----D---- C:\WINDOWS\system32\URTTEMP
2009-09-02 08:24:48 ----D---- C:\WINDOWS\system32\windows media
2009-09-02 08:24:15 ----D---- C:\Program Files\Windows Media Components
2009-08-29 11:12:26 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla
2009-08-29 11:12:19 ----D---- C:\Program Files\Mozilla Firefox
2009-08-29 07:19:36 ----A---- C:\WINDOWS\system32\frapsvid.dll
2009-08-27 22:54:37 ----D---- C:\Documents and Settings\Administrator\Application Data\Help
2009-08-27 20:38:31 ----D---- C:\Program Files\Common Files\Fellowes
2009-08-27 20:37:46 ----D---- C:\Program Files\Pinnacle
2009-08-27 20:23:35 ----A---- C:\WINDOWS\system32\wnaspi32.dll
2009-08-27 20:23:34 ----A---- C:\WINDOWS\system32\Viasetup.dll
2009-08-27 20:23:33 ----A---- C:\WINDOWS\system32\ivimci32.dll
2009-08-27 13:31:06 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-08-27 13:31:02 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-25 06:47:11 ----D---- C:\Cracker

======List of files/folders modified in the last 1 months======

2009-09-22 06:34:52 ----D---- C:\WINDOWS\Prefetch
2009-09-22 06:20:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-22 06:19:06 ----D---- C:\WINDOWS
2009-09-22 06:14:44 ----D---- C:\WINDOWS\system32\drivers
2009-09-22 06:14:43 ----RD---- C:\Program Files
2009-09-22 06:03:51 ----A---- C:\WINDOWS\lexstat.ini
2009-09-21 22:14:41 ----D---- C:\Documents and Settings\Administrator\Application Data\Xfire
2009-09-21 21:49:08 ----RASH---- C:\boot.ini
2009-09-21 21:49:08 ----A---- C:\WINDOWS\win.ini
2009-09-21 21:49:08 ----A---- C:\WINDOWS\system.ini
2009-09-21 21:28:16 ----D---- C:\WINDOWS\system32
2009-09-21 21:27:35 ----SD---- C:\WINDOWS\Tasks
2009-09-21 21:26:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-21 21:23:53 ----D---- C:\WINDOWS\system32\config
2009-09-21 21:23:46 ----HD---- C:\WINDOWS\msdownld.tmp
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Connection Wizard
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Config
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Cluster
2009-09-21 21:23:45 ----D---- C:\WINDOWS\addins
2009-09-21 21:23:14 ----SHD---- C:\WINDOWS\Installer
2009-09-21 21:22:26 ----D---- C:\WINDOWS\AppPatch
2009-09-21 21:22:24 ----D---- C:\Program Files\Common Files
2009-09-20 11:56:14 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-09-20 09:32:23 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2009-09-20 02:32:35 ----D---- C:\Program Files\Driver Robot
2009-09-19 00:22:52 ----D---- C:\DOWNLOADS
2009-09-17 00:16:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-16 23:35:15 ----D---- C:\WINDOWS\system32\Restore
2009-09-16 22:48:57 ----D---- C:\WINDOWS\security
2009-09-13 11:36:32 ----HD---- C:\WINDOWS\inf
2009-09-13 11:36:32 ----D---- C:\Program Files\MSN
2009-09-13 08:43:26 ----D---- C:\Program Files\Xfire
2009-09-02 22:31:20 ----D---- C:\WINDOWS\Help
2009-09-02 11:39:53 ----D---- C:\WINDOWS\Registration
2009-09-02 11:39:38 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-02 11:34:18 ----A---- C:\WINDOWS\imsins.BAK
2009-09-02 11:33:57 ----RSD---- C:\WINDOWS\assembly
2009-09-02 11:29:04 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-09-02 08:24:48 ----D---- C:\WINDOWS\RegisteredPackages
2009-09-02 08:24:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-02 08:24:15 ----D---- C:\Program Files\Microsoft
2009-08-30 22:28:03 ----D---- C:\Program Files\Windows Media Player
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntfNT.dll
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntf32.dll
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntf16.dll
2009-08-27 20:38:50 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-27 20:27:16 ----D---- C:\Documents and Settings\Administrator\Application Data\CyberLink
2009-08-27 20:24:47 ----D---- C:\WINDOWS\system
2009-08-27 04:50:40 ----A---- C:\WINDOWS\AS_Debug.txt
2009-08-25 01:05:32 ----D---- C:\WINDOWS\WinSxS
2009-08-25 01:05:27 ----D---- C:\Program Files\Adobe
2009-08-25 01:05:21 ----D---- C:\Program Files\Common Files\Adobe
2009-08-25 01:05:21 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 vobcom;vobcom; C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw; C:\WINDOWS\system32\drivers\vobiw.sys [2003-05-27 187392]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1997-12-22 23936]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2002-12-17 76288]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-01-24 4127488]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ASAPIW2K;ASAPIW2K; C:\WINDOWS\System32\Drivers\ASAPIW2K.sys [2002-04-17 11264]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]
R3 cdrdrv;Cdrdrv; C:\WINDOWS\System32\Drivers\Cdrdrv.sys [2002-12-13 64000]
R3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-12-17 51729]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 MQAC;Message Queuing access control; \??\C:\WINDOWS\system32\drivers\mqac.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 RMCAST;Reliable Multicast Protocol driver; \??\C:\WINDOWS\system32\drivers\RMCast.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
S3 catchme;catchme; \??\C:\KenFix\catchme.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2005-04-13 53376]
S3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2005-04-13 414464]
S3 SNTNLUSB;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2002-12-17 26120]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2004-08-03 95360]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-25 602112]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-03-28 303104]
R2 MSMQ;Message Queuing; C:\WINDOWS\system32\mqsvc.exe [2009-06-22 4608]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 winvnc;VNC Server; C:\Program Files\UltraVNC\winvnc.exe [2006-06-18 712704]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-02-25 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

ken545
2009-09-22, 14:32
PopRock <--You have this program starting up, is this something you installed and know about ?

ARCHellraiser
2009-09-22, 15:24
NO, must have been something that got picked up during surfing.

did not show up under "msconfig"

ken545
2009-09-22, 16:00
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::




Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareRemovalBot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopRock]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ARCHellraiser
2009-09-22, 17:55
as instructed
have to go to work now see you later.

HR

ComboFix 09-09-21.04 - Administrator 09/22/2009 10:42.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.642 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\KenFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-22 10:34 . 2009-09-22 10:35 -------- d-----w- C:\rsit
2009-09-22 10:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 10:14 . 2009-09-22 10:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 10:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 04:09 . 2009-09-22 10:35 -------- d-----w- c:\program files\Trend Micro
2009-09-19 04:05 . 2009-09-19 04:05 -------- d-----w- c:\program files\ERUNT
2009-09-17 04:13 . 2009-09-22 01:23 -------- d--h--w- c:\windows\PIF
2009-09-17 03:51 . 2009-09-17 04:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-08 03:32 . 2009-09-08 03:32 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-09-06 00:03 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-06 00:03 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-02 21:30 . 2009-09-04 03:55 -------- d-----w- C:\Fraps
2009-09-02 15:39 . 2009-09-08 03:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-02 15:33 . 2009-09-02 15:33 -------- d-----w- c:\windows\system32\URTTEMP
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\windows\system32\windows media
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\program files\Windows Media Components
2009-08-29 15:12 . 2009-08-29 15:12 0 ----a-w- c:\windows\nsreg.dat
2009-08-29 15:12 . 2009-08-29 15:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 11:19 . 2009-08-29 11:19 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-28 02:54 . 2009-08-28 02:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-28 02:28 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-28 02:28 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-28 00:39 . 2009-08-28 00:39 1329709 ----a-w- c:\windows\Recorder.reg
2009-08-28 00:38 . 2009-08-28 00:38 -------- d-----w- c:\program files\Common Files\Fellowes
2009-08-28 00:37 . 2009-08-28 00:38 -------- d-----w- c:\program files\Pinnacle
2009-08-28 00:23 . 1997-12-23 01:02 23936 ----a-w- c:\windows\system32\drivers\aspi32.sys
2009-08-28 00:23 . 1997-12-23 00:23 5600 ----a-w- c:\windows\system\winaspi.dll
2009-08-28 00:23 . 1997-12-23 00:23 4672 ----a-w- c:\windows\system\wowpost.exe
2009-08-28 00:23 . 1997-12-23 00:23 48128 ----a-w- c:\windows\system32\wnaspi32.dll
2009-08-28 00:23 . 1999-07-07 21:32 138240 ----a-w- c:\windows\system32\Viasetup.dll
2009-08-28 00:23 . 1999-06-29 21:15 25264 ----a-w- c:\windows\system32\ivimci.drv
2009-08-28 00:23 . 1999-08-23 03:00 884736 ----a-w- c:\windows\system32\ivimci32.dll
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 10:47 . 2009-08-25 10:53 -------- d-----w- C:\Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 02:14 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-09-20 15:56 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-09-20 13:32 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-20 06:32 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2009-09-17 04:16 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 12:43 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2009-09-02 12:24 . 2007-04-30 20:03 28368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 12:24 . 2009-08-12 03:31 -------- d-----w- c:\program files\Microsoft
2009-08-28 05:11 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-08-28 05:11 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-08-28 05:11 . 2009-08-14 06:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-08-28 00:27 . 2007-04-30 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-08-25 05:05 . 2007-04-30 21:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-23 02:10 . 2007-04-30 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 15:31 . 2009-08-22 15:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----r- c:\program files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Common Files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\teamspeak2
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-08-22 02:34 . 2009-08-22 02:33 -------- d-----w- c:\program files\Good_Fox
2009-08-22 00:49 . 2009-08-22 00:49 -------- d-----w- c:\program files\Fox
2009-08-20 00:51 . 2009-08-20 00:50 -------- d-----w- c:\program files\Realtek AC97
2009-08-19 03:12 . 2009-08-19 03:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Blitware
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 19:40 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2009-08-14 19:14 . 2009-08-14 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-08-14 18:37 . 2009-08-14 18:37 -------- d-----w- c:\program files\directx
2009-08-14 15:53 . 2009-08-14 15:53 -------- d-----w- c:\documents and settings\roth\Application Data\ATI
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-14 05:11 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-14 05:10 . 2009-08-14 05:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-14 05:06 . 2007-04-30 19:46 16168 ----a-w- c:\documents and settings\roth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 03:43 . 2009-08-12 03:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-08-12 03:30 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-12 03:14 . 2009-08-12 03:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-12 03:10 . 2009-08-12 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-12 02:38 . 2009-08-12 02:38 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 10:30 . 2009-08-09 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-09 10:30 . 2009-08-09 10:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-08-05 09:11 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-29 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 04:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2006-03-04 03:33 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 04:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-04 04:56 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-04 04:56 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-04 04:56 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-04 04:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-04 04:56 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-04 04:56 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-04 04:56 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-04 04:56 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-04 04:56 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-04 04:56 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-04 04:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-04 04:56 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 04:56 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 04:56 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 04:56 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 04:56 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 04:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-22_01.25.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-22 10:21 . 2009-09-22 10:21 40960 c:\windows\ERDNT\AutoBackup\9-22-2009\Users\00000002\UsrClass.dat
+ 2009-09-22 10:21 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-22-2009\ERDNT.EXE
+ 2009-09-22 10:21 . 2009-09-22 10:21 6098944 c:\windows\ERDNT\AutoBackup\9-22-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/14/2009 1:11 AM 55152]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.0.9.13\DriverRobot.exe [2009-08-19 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 10:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-22 10:45
ComboFix-quarantined-files.txt 2009-09-22 14:45
ComboFix2.txt 2009-09-22 14:39
ComboFix3.txt 2009-09-22 01:28

Pre-Run: 59,600,023,552 bytes free
Post-Run: 59,589,935,104 bytes free

226





Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-22 10:51:36
Microsoft Windows XP Professional Service Pack 2
System drive C: has 57 GB (74%) free of 76 GB
Total RAM: 1023 MB (62% free)

:oreo:
Scan saved at 10:51:42 AM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250042906984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250226036234
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 6053 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Driver Robot.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-07-15 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"=regsvr32 /s mqrt.dll []
"Lexmark X1100 Series"=C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe [2003-03-28 57344]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe [2003-03-12 836096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe [2003-05-28 394240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
C:\WINDOWS\system32\PSDrvCheck.exe [2003-05-28 394240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
C:\WINDOWS\shicoxp.exe [2003-10-13 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBID]
C:\Program Files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe [2003-03-31 147968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
C:\Program Files\UltraVNC\winvnc.exe [2006-06-18 712704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
C:\PROGRA~1\Xfire\Xfire.exe [2009-09-03 3111824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2007-05-11 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [1999-02-17 65588]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Broadband Networking.lnk -

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe"="C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe:*:Enabled:AVP2 Stand-Alone Server"
"C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe"="C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe:*:Enabled:Client"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mqsvc.exe"="C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2009-09-22 10:45:14 ----D---- C:\WINDOWS\temp
2009-09-22 10:45:12 ----A---- C:\ComboFix.txt
2009-09-22 10:41:31 ----D---- C:\KenFix
2009-09-22 06:34:56 ----D---- C:\rsit
2009-09-22 06:14:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-21 21:20:21 ----A---- C:\Boot.bak
2009-09-21 21:20:18 ----RASHD---- C:\cmdcons
2009-09-21 21:19:17 ----A---- C:\WINDOWS\zip.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWSC.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\SWREG.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\sed.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\PEV.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-21 21:19:17 ----A---- C:\WINDOWS\grep.exe
2009-09-21 21:17:05 ----D---- C:\Qoobox
2009-09-19 00:09:58 ----D---- C:\Program Files\Trend Micro
2009-09-19 00:06:43 ----D---- C:\WINDOWS\ERDNT
2009-09-19 00:05:10 ----D---- C:\Program Files\ERUNT
2009-09-17 00:13:24 ----HD---- C:\WINDOWS\PIF
2009-09-16 23:51:38 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-09-16 23:35:46 ----D---- C:\Config.Msi
2009-09-16 22:46:13 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-05 20:03:07 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-09-05 20:03:07 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-09-03 14:07:10 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-09-02 17:30:35 ----D---- C:\Fraps
2009-09-02 11:34:19 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-09-02 11:34:14 ----HDC---- C:\WINDOWS\$NtUninstallKB954156_WM9L$
2009-09-02 11:33:45 ----D---- C:\WINDOWS\system32\URTTEMP
2009-09-02 08:24:48 ----D---- C:\WINDOWS\system32\windows media
2009-09-02 08:24:15 ----D---- C:\Program Files\Windows Media Components
2009-08-29 11:12:26 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla
2009-08-29 11:12:19 ----D---- C:\Program Files\Mozilla Firefox
2009-08-29 07:19:36 ----A---- C:\WINDOWS\system32\frapsvid.dll
2009-08-27 22:54:37 ----D---- C:\Documents and Settings\Administrator\Application Data\Help
2009-08-27 20:38:31 ----D---- C:\Program Files\Common Files\Fellowes
2009-08-27 20:37:46 ----D---- C:\Program Files\Pinnacle
2009-08-27 20:23:35 ----A---- C:\WINDOWS\system32\wnaspi32.dll
2009-08-27 20:23:34 ----A---- C:\WINDOWS\system32\Viasetup.dll
2009-08-27 20:23:33 ----A---- C:\WINDOWS\system32\ivimci32.dll
2009-08-27 13:31:06 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-08-27 13:31:02 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-25 06:47:11 ----D---- C:\Cracker

======List of files/folders modified in the last 1 months======

2009-09-22 10:45:14 ----D---- C:\WINDOWS\system32
2009-09-22 10:45:14 ----D---- C:\WINDOWS
2009-09-22 10:44:01 ----A---- C:\WINDOWS\system.ini
2009-09-22 10:43:17 ----D---- C:\WINDOWS\system32\drivers
2009-09-22 10:43:17 ----D---- C:\WINDOWS\AppPatch
2009-09-22 10:43:16 ----D---- C:\Program Files\Common Files
2009-09-22 10:42:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-22 10:42:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-22 10:41:31 ----D---- C:\WINDOWS\Prefetch
2009-09-22 07:55:50 ----A---- C:\WINDOWS\lexstat.ini
2009-09-22 06:14:43 ----RD---- C:\Program Files
2009-09-21 22:14:41 ----D---- C:\Documents and Settings\Administrator\Application Data\Xfire
2009-09-21 21:49:08 ----RASH---- C:\boot.ini
2009-09-21 21:49:08 ----A---- C:\WINDOWS\win.ini
2009-09-21 21:27:35 ----SD---- C:\WINDOWS\Tasks
2009-09-21 21:23:53 ----D---- C:\WINDOWS\system32\config
2009-09-21 21:23:46 ----HD---- C:\WINDOWS\msdownld.tmp
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Connection Wizard
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Config
2009-09-21 21:23:46 ----D---- C:\WINDOWS\Cluster
2009-09-21 21:23:45 ----D---- C:\WINDOWS\addins
2009-09-21 21:23:14 ----SHD---- C:\WINDOWS\Installer
2009-09-20 11:56:14 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-09-20 09:32:23 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2009-09-20 02:32:35 ----D---- C:\Program Files\Driver Robot
2009-09-19 00:22:52 ----D---- C:\DOWNLOADS
2009-09-17 00:16:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-16 23:35:15 ----D---- C:\WINDOWS\system32\Restore
2009-09-16 22:48:57 ----D---- C:\WINDOWS\security
2009-09-13 11:36:32 ----HD---- C:\WINDOWS\inf
2009-09-13 11:36:32 ----D---- C:\Program Files\MSN
2009-09-13 08:43:26 ----D---- C:\Program Files\Xfire
2009-09-02 22:31:20 ----D---- C:\WINDOWS\Help
2009-09-02 11:39:53 ----D---- C:\WINDOWS\Registration
2009-09-02 11:39:38 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-09-02 11:34:18 ----A---- C:\WINDOWS\imsins.BAK
2009-09-02 11:33:57 ----RSD---- C:\WINDOWS\assembly
2009-09-02 11:29:04 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-09-02 08:24:48 ----D---- C:\WINDOWS\RegisteredPackages
2009-09-02 08:24:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-09-02 08:24:15 ----D---- C:\Program Files\Microsoft
2009-08-30 22:28:03 ----D---- C:\Program Files\Windows Media Player
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntfNT.dll
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntf32.dll
2009-08-28 01:11:11 ----AT---- C:\WINDOWS\system32\SIntf16.dll
2009-08-27 20:38:50 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-27 20:27:16 ----D---- C:\Documents and Settings\Administrator\Application Data\CyberLink
2009-08-27 20:24:47 ----D---- C:\WINDOWS\system
2009-08-27 04:50:40 ----A---- C:\WINDOWS\AS_Debug.txt
2009-08-25 01:05:32 ----D---- C:\WINDOWS\WinSxS
2009-08-25 01:05:27 ----D---- C:\Program Files\Adobe
2009-08-25 01:05:21 ----D---- C:\Program Files\Common Files\Adobe
2009-08-25 01:05:21 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 vobcom;vobcom; C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 9728]
R1 vobiw;vobiw; C:\WINDOWS\system32\drivers\vobiw.sys [2003-05-27 187392]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1997-12-22 23936]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-02-06 55152]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2002-12-17 76288]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-01-24 4127488]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ASAPIW2K;ASAPIW2K; C:\WINDOWS\System32\Drivers\ASAPIW2K.sys [2002-04-17 11264]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-25 3565568]
R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 cdrdrv;Cdrdrv; C:\WINDOWS\System32\Drivers\Cdrdrv.sys [2002-12-13 64000]
R3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-12-17 51729]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 MQAC;Message Queuing access control; \??\C:\WINDOWS\system32\drivers\mqac.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 RMCAST;Reliable Multicast Protocol driver; \??\C:\WINDOWS\system32\drivers\RMCast.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S2 vnccom;vnccom; C:\WINDOWS\System32\Drivers\vnccom.SYS [2004-06-26 6016]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2005-04-13 53376]
S3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2005-04-13 414464]
S3 SNTNLUSB;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2002-12-17 26120]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2004-06-26 4736]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2004-08-03 95360]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-25 602112]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-03-28 303104]
R2 MSMQ;Message Queuing; C:\WINDOWS\system32\mqsvc.exe [2009-06-22 4608]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 winvnc;VNC Server; C:\Program Files\UltraVNC\winvnc.exe [2006-06-18 712704]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-02-25 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

ken545
2009-09-22, 19:26
Hi,

Looking good , how are things running now ?

ARCHellraiser
2009-09-23, 01:40
:cool:Very Very Good and...Boot-up is very fast now.!!!:thanks:
You guys who do this day in and day out should be givin one heck of a thank-you!!!! Fighting the unwinable fight...:rockon:


The 3 things that are strange are:
**Cannot run S&D still get the same Error??
"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

**When starting IE 2 windows always start one Blank and one with the site
I selected.??

**Microsoft Broadband Networking utility even thought it checked in the
msconfig does not start-up and show in the icon taskbar as it always has.

Should I uninstall and reinstall the 2 programs.??

HR

ken545
2009-09-23, 03:21
Hi,

What I would do is run Windows Updates and upgrade your Operating System to Service Pack 3 and also Internet Explorer 8, this may fix your browser issue.

Open IE and go to Tools > Windows Updates and download all critical updates


Go to your Add Remove Programs in the Control Panel and uninstall Spybot, then download and install the latest version which is 1.6.2 and see if that makes a difference.
http://www.safer-networking.org/en/download/

Let me know if this helped, if not we can dig deeper

ARCHellraiser
2009-09-23, 03:32
Understand, been putting off moving to SP3 because of all the bad press i have read,have been updateing with all updates for SP2..But looks like it time to make the move.

I ran malware and found the following:Please advise did not delete
thought i'd ask first.

HR



Malwarebytes' Anti-Malware 1.41
Database version: 2842
Windows 5.1.2600 Service Pack 2

9/22/2009 8:18:20 PM
new mbam-log-2009-09-22 (20-17-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140034
Time elapsed: 15 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (Rogue.RegTool) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP104\A0019679.dll (Trojan.Sirefef) -> No action taken.

ARCHellraiser
2009-09-23, 04:12
Hi Ken,
After I removed S&D via Uninstall I always check to be sure all was removed.
when i tried to remove the files manually I get "cannot delete" ??
see attached file..
please advise

HR

ken545
2009-09-23, 11:40
Good Morning HR,

When SP3 first came out there where a few bugs but its all been fixed and there is no problem now with any of the updates.

I would not have Malwarebytes remove those files, one is a Combofix backup, one is in your System restore and one I am not sure why it was flagged as bad. Our clean up will get all the files in qoobox and system restore

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe





We just do malware removal on this forum, post here in the spybot forum and they can guide you with its removal and re install.
http://forums.spybot.info/forumdisplay.php?f=4



System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Accessories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it




Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

ARCHellraiser
2009-09-23, 14:09
looks like were are coming to the end and my system is back to almost perfect.
I did as instructed see report below and thanks for the heads up on the other files.

Pinnacle-InstantCD/DVD is my CD copy program, I have the original Factory
disk and access code so if we need to remove/install I'm ok to do this.

THANKS

HR

File 3D6ACFF20051EE77C091037525F18D007F841644.exe received on 2009.05.29 21:56:39 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.29 -
AhnLab-V3 5.0.0.2 2009.05.29 -
AntiVir 7.9.0.180 2009.05.29 -
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.29 -
Avast 4.8.1335.0 2009.05.29 -
AVG 8.5.0.339 2009.05.29 -
BitDefender 7.2 2009.05.29 -
CAT-QuickHeal 10.00 2009.05.29 -
ClamAV 0.94.1 2009.05.29 -
Comodo 1203 2009.05.29 -
DrWeb 5.0.0.12182 2009.05.29 -
eSafe 7.0.17.0 2009.05.27 -
eTrust-Vet 31.6.6528 2009.05.29 -
F-Prot 4.4.4.56 2009.05.29 -
F-Secure 8.0.14470.0 2009.05.29 -
Fortinet 3.117.0.0 2009.05.29 -
GData 19 2009.05.29 -
Ikarus T3.1.1.57.0 2009.05.29 -
K7AntiVirus 7.10.749 2009.05.29 -
Kaspersky 7.0.0.125 2009.05.29 -
McAfee 5630 2009.05.29 -
McAfee+Artemis 5630 2009.05.29 -
McAfee-GW-Edition 6.7.6 2009.05.29 -
Microsoft 1.4701 2009.05.29 -
NOD32 4116 2009.05.29 -
Norman 2009.05.29 -
nProtect 2009.1.8.0 2009.05.29 -
Panda 10.0.0.14 2009.05.29 -
PCTools 4.4.2.0 2009.05.29 -
Prevx 3.0 2009.05.29 -
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.29 -
Sunbelt 3.2.1858.2 2009.05.29 -
Symantec 1.4.4.12 2009.05.29 -
TheHacker 6.3.4.3.334 2009.05.29 -
TrendMicro 8.950.0.1092 2009.05.29 -
VBA32 3.12.10.6 2009.05.27 -
ViRobot 2009.5.29.1761 2009.05.29 -
VirusBuster 4.6.5.0 2009.05.29 -
Additional information
File size: 245760 bytes
MD5 : 35d183cb9d58f97f4e2e52fa738dd75c
SHA1 : edece586ba712a224028b4b8a70a66c49c449013
SHA256: 20f339fc9c179407e78afd95e52767f0d4906424f9036fc3d5dd4e202faefe9b
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xFDAF
timedatestamp.....: 0x3D935D76 (Thu Sep 26 21:18:14 2002)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x278BA 0x28000 6.58 78376d4f2e8d920d16f78904df560b5d
.rdata 0x29000 0xABD6 0xB000 4.95 618011db2af3a8102697d9509679f667
.data 0x34000 0x15934 0x2000 4.57 34ef9b3efda79bf0f40b522abc820097
.rsrc 0x4A000 0x51A0 0x6000 3.04 20aef7b8b1dbe863fa280cae7694d1fb

( 14 imports )

> advapi32.dll: RegEnumKeyA, FreeSid, RegSetKeySecurity, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclA, AllocateAndInitializeSid, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegQueryValueA, RegOpenKeyExA, RegDeleteKeyA, RegOpenKeyA, RegCreateKeyExA
> comctl32.dll: -
> comdlg32.dll: GetFileTitleA
> gdi32.dll: GetMapMode, GetRgnBox, GetTextColor, GetBkColor, GetStockObject, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, GetDeviceCaps, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, CreateRectRgnIndirect, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, SetWindowExtEx
> kernel32.dll: ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCommandLineA, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, SetEnvironmentVariableA, GetStartupInfoA, RaiseException, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, RtlUnwind, HeapFree, HeapAlloc, GetTickCount, FileTimeToLocalFileTime, SetErrorMode, GetOEMCP, GetCPInfo, GetFullPathNameA, GetVolumeInformationA, GetCurrentProcess, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, WritePrivateProfileStringA, GlobalFlags, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, InterlockedIncrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, FreeResource, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalDeleteAtom, lstrcmpA, GetModuleHandleA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, GetModuleFileNameA, GetLastError, SetLastError, GlobalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, lstrcpynA, GetProcAddress, LocalAlloc, LocalFree, FindFirstFileA, GetFileAttributesA, CreateFileA, GetFileTime, FileTimeToSystemTime, GetFileSize, CloseHandle, GetSystemDirectoryA, FindClose, InterlockedDecrement, SetCurrentDirectoryA, LoadLibraryA, FreeLibrary, GetLocalTime, DeleteFileA, lstrlenA, lstrcmpiA, CompareStringW, CompareStringA, GetVersion, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetCurrentProcessId
> ole32.dll: StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemAlloc, StgCreateDocfileOnILockBytes, CoTaskMemFree, CoInitialize, CoCreateInstance, CoUninitialize, CreateILockBytesOnHGlobal, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, CoRevokeClassObject, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard
> oleacc.dll: LresultFromObject, CreateStdAccessibleObject
> oleaut32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
> oledlg.dll: -
> shell32.dll: ShellExecuteA
> shfolder.dll: SHGetFolderPathA
> shlwapi.dll: PathStripToRootA, PathFindFileNameA, PathFindExtensionA, PathIsUNCA
> user32.dll: RegisterClipboardFormatA, DestroyMenu, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, CopyAcceleratorTableA, SetRect, IsRectEmpty, CharNextA, ReleaseCapture, SetCapture, LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ReleaseDC, GetDC, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, CharUpperA, DrawIcon, SendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetNextDlgTabItem, EndDialog, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDlgItem, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PostThreadMessageA, GetWindowTextLengthA, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, UnhookWindowsHookEx, LoadBitmapA, GetMenuCheckMarkDimensions, CheckMenuItem, EnableMenuItem, ModifyMenuA, GetParent, GetFocus, SetMenuItemBitmaps, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, MessageBoxA, PostMessageA, wsprintfA, PostQuitMessage, SetCursor, ValidateRect, GetCursorPos, PeekMessageA
> winspool.drv: OpenPrinterA, DocumentPropertiesA, ClosePrinter

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
ssdeep: 6144:mv+M67AKssG2Vy0K10nOfTEOO7ANg1ybE4:c67AqhK10nOfC7AW1yb
PEiD : -
RDS : NSRL Reference Data Set

ken545
2009-09-23, 14:15
Looks like that file is ok so lets not worry about it.

Lets do one last scan and see if it finds anything that we may have missed.

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ARCHellraiser
2009-09-24, 03:59
evening, last work nite....
did as directed the below was at the start up of the scan
thought you might need to see it.
posted log
did not check "delete quarantined" box

HR

Warning: in_array() [function.in-array]: Wrong datatype for second argument in /home/httpd/vhosts/www.eset.eu/buxus/includes/generate_functions.php(96) : eval()'d code(1396) : eval()'d code on line 17






ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=f3f4ea1f6737e14998f3fee40a88c61c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-23 10:23:15
# local_time=2009-09-23 06:23:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# scanned=37584
# found=7
# cleaned=7
# scan_time=977
C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\updates\3e9a384994003e6daed892e3f8d7c957\3e9a384994003e6daed892e3f8d7c957 Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\updates\3e9a384994003e6daed892e3f8d7c957\DriverRobot_Setup.exe Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Driver Robot\1.1.0.3\DriverRobot.exe Win32/Adware.DriverRobot application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP104\A0019679.dll a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP105\A0020271.exe Win32/Adware.DriverRobot application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP105\A0020272.exe Win32/Adware.DriverRobot application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545
2009-09-24, 04:06
Hi,

DriverRobot appears to be a rogue program, all the rest where Combofix backups and bad files in your system restore.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it



We will clean out Qoobox when were done. How are things running now ?

ARCHellraiser
2009-09-24, 06:16
HI Ken,
Well Thanks to you Everything is working just fine..
Even the strange 2nd blank IE window that was opening is gone.:eek:
all that's left is to get S&D running...am waiting for that support team to answer.
and have all my Icons in the icon tray:banana:

Followed the restore instructions and just made the :New Clean Restore " point.

Have not yet installed SP3 but will do after we are done.

Should I run ESET again and have it delete quarantine file this time.???

HR

ken545
2009-09-24, 11:28
Great, yes you can run ESET and remove those files.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ARCHellraiser
2009-09-25, 04:36
:thanks::thanks::thanks::wav:

Again I don't know what would have happen without your help:crowned:
You guys are doing a great job for us poor slobs who get in trouble.
For sure I will Donate on payday:present:

Still working with spybotsandra:angel:
trying to get rid of the infected spybot files.


Ran Combofix /u and all is gone...

Ran ESET and had 0 infected:band:

Boot up is faster that it's been for a long time:banana:

No more to do here...Hope i never have to came back.....;)

Thanks again

HR = Ed

ken545
2009-09-25, 05:23
Thats great, glad things are well :bigthumb:

Why don't you open up Spybot and at the top click on Mode > Advanced Mode, then Recovery and you can purge all the bad stuff that Spybot removed.

Take Care,

Ken

ARCHellraiser
2009-09-25, 13:59
This is what I told her


some other things you should know

* removed application S&D by control panel "add & remove Programs"
it said could not remove all files.

*Checked properties of each file have 'Read only" and "Hidden" checked and
Hidden is Grayed out. If I uncheck the "read only" box and hit apply i get this error.
"An Error occurred applying attributes to this file Access is Denied" same for the folder "Skybot -Search and Destroy

*verified folder options "show hidden files" is checked

The malware that had (been removed) infected my system Changed and locked these files so i cound not run this program..

* when you click on theSpybotSD.exe you get this error:
"Windows Cannot Access the specified deice,path or file.
You may not have the appropriate permissions to access the item"

So how do we fix what the nasty little Bug did..:flame:

THIS IS WHAT SHE SAID THIS MORNIGN:confused:



Hello,

I am sorry, but then I do not think that your system is clean.
Did you try to download a fresh installation of Spybot and copy it over the existing file?

Best regards
Sandra
Team Spybot

I did not try to install a new S&D because then I will have 3 infected files
that cannot be overwritten so install will fail....( i think)

just trying to do the right thing

HR

ARCHellraiser
2009-09-25, 14:03
the 3 infected files

ken545
2009-09-25, 15:01
Hi,

Do this

Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:

Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.

Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply

ARCHellraiser
2009-09-26, 10:24
Morning Ken,
When you said would take several hours U were not kidding..

Here is the log
did not delete them so we could decide

I know VNC it's a program I used 1 time for work for to View remote servers.
Don't need it any more.

THE 3 spyboy S&D files are still there and I still cannot delete them and one of them is "spybotSD.exe:thud:

That bug did a good job..

please advise

HR


iwapi.chm\DLLGeneral.html;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK\iwapi.chm;Modification of BAT.Wed.4730;;
iwapi.chm;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK;Container contains infected objects;Moved.;
vncviewer.exe;C:\Program Files\UltraVNC;Program.RemoteAdmin.37;;
vnc-4.0-x86_win32.exe\data002;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data003;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data004;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data006;C:\Work\Files that need coped\VNC_4\Server and Viewer\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe;C:\Work\Files that need coped\VNC_4\Server and Viewer;Archive contains infected objects;Moved.;
vnc-4.0-x86_win32_viewer.exe;C:\Work\Files that need coped\VNC_4\Viewer Only;Program.RemoteAdmin;;
UltraVNC-102-Setup.exe\data014;C:\Work\Ultra VNC\UltraVNC-102-Setup.exe;Program.RemoteAdmin.37;;
UltraVNC-102-Setup.exe;C:\Work\Ultra VNC;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;C:\Work\VNC 4_1_2\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
vnc-4_1_2-x86_win32.exe;C:\Work\VNC 4_1_2;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32_viewer.exe;C:\Work\VNC 4_1_2;Program.RemoteAdmin.51;;

ken545
2009-09-26, 13:38
Lets let Combofix remove it

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::




Folder::
C:\Program Files\Spybot - Search & Destroy


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ARCHellraiser
2009-09-26, 18:22
Morniong
had run Combofix /u as instructed but NP
downloaded and followed below..


THEY ARE GONE:bigthumb::bigthumb:
See log:
anything else you see in the log??

other wise I think were are good

should i remove remove combfix as before?

HR


ComboFix 09-09-25.01 - Administrator 09/26/2009 11:05.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.671 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\HGCWMZUHVHYHRVH.scr
c:\program files\Spybot - Search & Destroy\SpybotSD.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-19 04:05 . 2009-09-19 04:05 -------- d-----w- c:\program files\ERUNT
2009-09-17 04:13 . 2009-09-22 01:23 -------- d--h--w- c:\windows\PIF
2009-09-08 03:32 . 2009-09-08 03:32 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-09-06 00:03 . 2004-08-04 04:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-09-06 00:03 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-02 21:30 . 2009-09-04 03:55 -------- d-----w- C:\Fraps
2009-09-02 15:39 . 2009-09-08 03:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-09-02 15:33 . 2009-09-02 15:33 -------- d-----w- c:\windows\system32\URTTEMP
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\windows\system32\windows media
2009-09-02 12:24 . 2009-09-02 12:24 -------- d-----w- c:\program files\Windows Media Components
2009-08-29 15:12 . 2009-08-29 15:12 0 ----a-w- c:\windows\nsreg.dat
2009-08-29 15:12 . 2009-08-29 15:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 11:19 . 2009-08-29 11:19 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-28 02:54 . 2009-08-28 02:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-28 02:28 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-08-28 02:28 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-08-28 00:39 . 2009-08-28 00:39 1329709 ----a-w- c:\windows\Recorder.reg
2009-08-28 00:38 . 2009-08-28 00:38 -------- d-----w- c:\program files\Common Files\Fellowes
2009-08-28 00:37 . 2009-08-28 00:38 -------- d-----w- c:\program files\Pinnacle
2009-08-28 00:23 . 1997-12-23 01:02 23936 ----a-w- c:\windows\system32\drivers\aspi32.sys
2009-08-28 00:23 . 1997-12-23 00:23 5600 ----a-w- c:\windows\system\winaspi.dll
2009-08-28 00:23 . 1997-12-23 00:23 4672 ----a-w- c:\windows\system\wowpost.exe
2009-08-28 00:23 . 1997-12-23 00:23 48128 ----a-w- c:\windows\system32\wnaspi32.dll
2009-08-28 00:23 . 1999-07-07 21:32 138240 ----a-w- c:\windows\system32\Viasetup.dll
2009-08-28 00:23 . 1999-06-29 21:15 25264 ----a-w- c:\windows\system32\ivimci.drv
2009-08-28 00:23 . 1999-08-23 03:00 884736 ----a-w- c:\windows\system32\ivimci32.dll
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 17:31 . 2009-08-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 07:42 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-26 07:40 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live
2009-09-23 22:03 . 2009-09-23 22:03 -------- d-----w- c:\program files\ESET
2009-09-23 05:47 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2009-09-23 03:30 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2009-09-23 00:54 . 2009-09-23 00:54 -------- d-----w- c:\program files\Gadwin Systems
2009-09-23 00:31 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 22:42 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-09-22 22:19 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-09-22 14:51 . 2009-09-19 04:09 -------- d-----w- c:\program files\Trend Micro
2009-09-22 10:14 . 2009-09-22 10:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 06:32 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2009-09-10 18:54 . 2009-09-22 10:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-22 10:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 12:24 . 2007-04-30 20:03 28368 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-02 12:24 . 2009-08-12 03:31 -------- d-----w- c:\program files\Microsoft
2009-08-28 05:11 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-08-28 05:11 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-08-28 05:11 . 2009-08-14 06:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-08-28 00:27 . 2007-04-30 21:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-08-25 05:05 . 2007-04-30 21:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-23 02:10 . 2007-04-30 21:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-22 15:31 . 2009-08-22 15:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----r- c:\program files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Common Files\Skype
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\teamspeak2
2009-08-22 15:02 . 2009-08-22 15:02 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-08-22 02:34 . 2009-08-22 02:33 -------- d-----w- c:\program files\Good_Fox
2009-08-22 00:49 . 2009-08-22 00:49 -------- d-----w- c:\program files\Fox
2009-08-20 00:51 . 2009-08-20 00:50 -------- d-----w- c:\program files\Realtek AC97
2009-08-19 03:12 . 2009-08-19 03:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Blitware
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2009-08-19 02:04 . 2009-08-19 02:04 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-14 19:40 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2009-08-14 19:14 . 2009-08-14 19:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-08-14 18:37 . 2009-08-14 18:37 -------- d-----w- c:\program files\directx
2009-08-14 15:53 . 2009-08-14 15:53 -------- d-----w- c:\documents and settings\roth\Application Data\ATI
2009-08-14 05:11 . 2009-08-14 05:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-14 05:10 . 2009-08-14 05:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-14 05:06 . 2007-04-30 19:46 16168 ----a-w- c:\documents and settings\roth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 03:43 . 2009-08-12 03:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2009-08-12 03:30 . 2009-08-12 03:30 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-12 03:14 . 2009-08-12 03:14 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-12 03:10 . 2009-08-12 03:10 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-12 02:38 . 2009-08-12 02:38 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 10:30 . 2009-08-09 10:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-08-09 10:30 . 2009-08-09 10:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-08-06 02:48 . 2009-08-14 05:11 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:11 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2004-08-04 04:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-29 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 18:55 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 04:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:15 . 2009-07-10 16:15 306544 ----a-w- c:\windows\WLXPGSS.SCR
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2009-06-25 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\program files\Microsoft Broadband Networking\MSBNTray.exe [2002-8-6 151552]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/14/2009 1:11 AM 54752]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.0.9.13\DriverRobot.exe [2009-08-19 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-26 11:08
ComboFix-quarantined-files.txt 2009-09-26 15:07
ComboFix2.txt 2009-09-22 14:45

Pre-Run: 59,078,516,736 bytes free
Post-Run: 59,057,725,440 bytes free

214

ken545
2009-09-26, 19:52
Great,

Yes, I would remove CF. Please let Spybotsandra know that this has been resolved.

You can download and install a fresh copy of Spybot here.
http://www.safer-networking.org/en/home/index.html

Take care,

Ken :)

ARCHellraiser
2009-09-26, 20:30
Will Let her know

Many Thanks :bow::bow::bow:

Your one of the best :2thumb:


HR

ARCHellraiser
2009-09-26, 20:55
just a last FYI

I was getting that 2nd blank window every time I started IE
after removing with Combofix /u the second white window
stopped poping up...:D:

HR

ken545
2009-09-26, 23:51
Great :bigthumb:

Take care,

Ken

ARCHellraiser
2009-09-27, 08:07
Will do and keep up the Great Work you and the Team are doing here

Give Rudy and Rerun a exta :oreo:

later

Ed

ARCHellraiser
2009-09-27, 09:25
Morning Ken,
Don't mean to be a bother but when I was cleaning up all the files
we had mad and clearing up my desktop I ran into a file hiding in my download folder.... that cannot be moved,renamed or deleted


HijackThis.exe 393KB appliaction created 9-19-09 12:21 am

about the time this all started.

I have spybot , spyblater and malwarebytes running

when i try to do anything to it I get the error.

see attached

just trying to be safe

HR

ken545
2009-09-27, 13:02
Hi,

HJT is a safe program, its what we use to analyze whats running on your system.

What is the complete path to the file

Example: C:\downloads ???

ARCHellraiser
2009-09-27, 16:13
Morning Ken,
full path is

C:\DOWNLOADS\HijackThis.exe

What dangerous about this is I 1st posted here 9-19 at 2:00 pm
this was created 9-19- 12:21 am. the time I was downloading
the Infected game file and got infected.

What odd about this is none of the attributes are checked or grayed out
but it cannot be moved or changed or deleted,and it an .exe
like it sitting there ready to run as soon as it is called ..

like the creator of the bug knew it get caught but left a back door??

ALL everything I download goes to this folder ..
i just feel this may have come in piggy-backed with the bug

HR

ken545
2009-09-27, 16:17
Please download OTM (http://oldtimer.geekstogo.com/OTM.exe) by OldTimer.

Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



:Processes
explorer.exe

:Services

:Reg

:Files
C:\DOWNLOADS\HijackThis.exe


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

ARCHellraiser
2009-09-27, 17:33
as instructed
was I correct in my theory??

File is gone

can OTM be used as on a Reg basis to clean up the garbage??

Ed

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\DOWNLOADS\HijackThis.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 868204 bytes
->Temporary Internet Files folder emptied: 2824140 bytes
->FireFox cache emptied: 43594205 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: maint
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: roth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 2165053 bytes
%systemroot%\System32 .tmp files removed: 2300433 bytes
Windows Temp folder emptied: 40960 bytes
RecycleBin emptied: 292634 bytes

Total Files Cleaned = 49.74 mb


OTM by OldTimer - Version 3.0.0.6 log created on 09272009_102353

Files moved on Reboot...

Registry entries deleted on Reboot...

ken545
2009-09-27, 17:49
That was a funny entry, good or bad its gone. As far as OTM, its your call, remove the wrong entry and you can disable your system so I would just use it under supervision.

Take care,
Ken

ARCHellraiser
2009-09-27, 18:44
:thanks: same to you

Ed

ken545
2009-09-28, 00:29
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.