Can't remove 2 win32.fraud.loadedt [Archive]

View Full Version : Can't remove 2 win32.fraud.loadedt

undeadwolf7

2009-11-13, 18:42

I'm having trouble removing 2 win32.fraud.loadedt on my system i've run spy bot S&D many times in both normal and safe mode, also had it run at system start up but it's not able to remove the files please help with this if possible

Here is my Hi jack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:00 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Kenny\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kenny\Desktop\Reinstall\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [gumamoyev] Rundll32.exe "c:\windows\system32\godohavu.dll",a
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} (ccr_downloader Control) - http://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\genafizu.dll C:\WINDOWS\system32\yunogisa.dll c:\windows\system32\rirururu.dll dehageja.dll c:\windows\system32\godohavu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: bibelefoh - {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll (file missing)
O21 - SSODL: bakepahur - {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
O22 - SharedTaskScheduler: gahurihor - {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 9950 bytes

km2357

2009-11-17, 21:11

Hello and welcome to Safer Networking.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log

undeadwolf7

2009-11-18, 00:03

thanks for taking the time to help me here is my new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:01 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kenny\Desktop\Reinstall\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} (ccr_downloader Control) - http://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\genafizu.dll C:\WINDOWS\system32\yunogisa.dll c:\windows\system32\rirururu.dll dehageja.dll c:\windows\system32\godohavu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: bibelefoh - {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll (file missing)
O21 - SSODL: bakepahur - {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 8912 bytes

km2357

2009-11-18, 06:00

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Step # 2: Remove Hijackthis Entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Step # 3 Download and run DDS

Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Step # 4: Download and Run Gmer

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

undeadwolf7

2009-11-18, 13:11

I was unable to get Gmer to finish running I ran it and recieved a windows blue screen error

Page_Fault_In_NonpagedArea File fwliapow.sys

I attempted it twice and recieved that error twice I was able to run the dds
I was unsure of how you wanted the attach.txt file from dds so i haven't posted it yet please let me know

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kenny at 2:27:15.04 on Wed 11/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.486 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\genafizu.dll c:\windows\system32\yunogisa.dll c:\windows\system32\rirururu.dll dehageja.dll c:\windows\system32\godohavu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: bibelefoh - {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll
SSODL: bakepahur - {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
STS: gahurihor: {d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll
STS: tokatiluy: {11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
LSA: Notification Packages = scecli c:\windows\system32\genafizu.dll shkbkbrw.dll c:\windows\system32\yunogisa.dll bitonuta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\vgtyytk2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\kenny\application data\mozilla\firefox\profiles\vgtyytk2.default\extensions\cslauncher@cyberstep.com\plugins\npCsLauncher.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {8651ACE7-2EFF-4A6F-A91B-0109AFDE821C} - c:\documents and settings\kenny\local settings\application data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 297752]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva284;XDva284;\??\c:\windows\system32\xdva284.sys --> c:\windows\system32\XDva284.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\gamespot\downloadmanager_win32.exe --> c:\program files\gamespot\DownloadManager_Win32.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-11-16 12:11:12 0 d-sh--w- C:\found.003
2009-11-12 07:36:39 0 d-----w- c:\program files\Bethesda Softworks
2009-11-11 05:20:35 3252 ----a-w- c:\windows\system32\wbem\Outlook_01ca628eb28623c4.mof
2009-11-10 01:25:36 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-10 01:25:33 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-10 01:25:33 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-10 01:25:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-10 01:25:31 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-10 01:25:31 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-10 01:25:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-10 00:50:52 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-11-10 00:50:52 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-11-10 00:50:51 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-11-10 00:50:49 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-11-10 00:50:46 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-11-10 00:50:46 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-11-10 00:50:43 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-11-10 00:50:41 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-11-10 00:50:39 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-11-10 00:50:38 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-11-10 00:45:23 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-10 00:45:23 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-10 00:45:21 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-10 00:44:37 0 d-----w- c:\windows\system32\xlive
2009-11-10 00:44:36 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-09 01:39:34 0 d-----w- C:\GamepotUSA
2009-11-08 20:11:58 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\9c13920.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\17d08eb5.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\b533e7b.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\a3cb000.dll
2009-11-07 00:36:09 82432 ---h-tw- c:\windows\system32\dd9c188.dll
2009-11-07 00:36:09 82432 ---h-tw- c:\windows\system32\18324090.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\6b49aca.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\3920f5f4.dll
2009-11-06 02:14:42 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-04 22:31:12 0 d-----w- c:\program files\Silkroad
2009-11-04 18:38:03 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-04 00:31:55 0 d-----w- c:\docume~1\kenny\applic~1\NeopleLauncherDFO
2009-10-29 02:26:38 0 d-----w- c:\program files\IObit
2009-10-22 02:29:41 0 d-----w- c:\docume~1\kenny\applic~1\Stardock
2009-10-22 02:28:08 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}
2009-10-22 02:27:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Stardock

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-03 00:57:51 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 00:57:51 22328 ----a-w- c:\docume~1\kenny\applic~1\PnkBstrK.sys
2009-10-03 00:57:41 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 00:57:24 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:57:24 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-01 13:58:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-23 15:41:58 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-09-15 23:35:28 991432 ----a-w- c:\windows\system32\xa.tmp
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-02 02:52:57 98304 -c--a-w- c:\windows\system32CmdLineExt.dll
2009-08-28 10:28:59 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 22:04:30 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2007-04-23 12:19:30 49889 -c--a-w- c:\program files\uninstal.log
2007-05-03 23:46:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-04 13:07:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat

============= FINISH: 2:28:07.89 ===============

km2357

2009-11-18, 21:30

For the Attach.txt file from DDS, go ahead and post it like you did the main DDS Log.

Since you had trouble running GMER, let's try a different rootkit scanner.

Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.

Click on the Log tab.
In the Write to log box select the following items only:
Process
Kernel Modes
SSDT
Kernel Hooks
Hidden Files
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Post attach.txt and the SysProt Log in your next post/reply. Use multiple replies if you can't fit everything into one post.

undeadwolf7

2009-11-19, 08:47

was able to get sysprot to scan

Here is the attach.txt log file from the dds scan

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/17/2007 11:04:47 PM
System Uptime: 11/18/2009 6:02:57 AM (0 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | Microprocessor | 2660/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 80.251 GiB free.
D: is CDROM (UDF)
G: is FIXED (FAT32) - 93 GiB total, 65.394 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1145: 8/20/2009 1:47:36 AM - Removed HolyBeast
RP1146: 8/20/2009 1:49:58 AM - Removed Neverwinter Nights 2
RP1147: 8/20/2009 1:52:20 AM - Removed Star Wars JK II Jedi Outcast
RP1148: 8/20/2009 1:52:58 AM - Removed Steam
RP1149: 8/21/2009 2:18:16 PM - System Checkpoint
RP1150: 8/22/2009 11:16:56 AM - Configured PlayOnline Viewer & Tetra Master
RP1151: 8/23/2009 12:09:11 PM - System Checkpoint
RP1152: 8/24/2009 1:50:50 PM - System Checkpoint
RP1153: 8/25/2009 1:41:45 PM - Installed Call of Duty 2
RP1154: 8/27/2009 3:00:19 AM - Software Distribution Service 3.0
RP1155: 8/27/2009 4:42:22 PM - Removed Star Wars Jedi Knight Jedi Academy
RP1156: 8/31/2009 7:04:57 AM - System Checkpoint
RP1157: 9/1/2009 1:33:50 PM - System Checkpoint
RP1158: 9/1/2009 10:39:07 PM - Installed Command & Conquer 3.
RP1159: 9/2/2009 3:00:14 AM - Software Distribution Service 3.0
RP1160: 9/2/2009 10:42:33 AM - Installed Command & Conquer™ 3: Kane's Wrath.
RP1161: 9/3/2009 12:37:56 PM - System Checkpoint
RP1162: 9/4/2009 1:34:40 PM - System Checkpoint
RP1163: 9/6/2009 1:19:52 AM - System Checkpoint
RP1164: 9/7/2009 4:04:34 AM - System Checkpoint
RP1165: 9/8/2009 4:16:32 AM - System Checkpoint
RP1166: 9/9/2009 6:53:38 AM - System Checkpoint
RP1167: 9/10/2009 3:00:34 AM - Software Distribution Service 3.0
RP1168: 9/10/2009 11:10:06 AM - Removed Command & Conquer™ 3: Kane's Wrath.
RP1169: 9/10/2009 11:17:18 AM - Removed Command & Conquer 3.
RP1170: 9/10/2009 11:23:58 AM - Installed Command & Conquer 3.
RP1171: 9/12/2009 5:40:07 PM - System Checkpoint
RP1172: 9/13/2009 11:52:25 PM - System Checkpoint
RP1173: 9/15/2009 7:59:55 AM - System Checkpoint
RP1174: 9/16/2009 1:01:48 PM - System Checkpoint
RP1175: 9/17/2009 2:02:01 PM - System Checkpoint
RP1176: 9/17/2009 3:33:07 PM - Installed Battlefield 2142
RP1177: 9/17/2009 3:36:59 PM - Installed DirectX
RP1178: 9/17/2009 4:37:26 PM - Installed Battlefield 2142 Update v1.50
RP1179: 9/19/2009 4:02:46 AM - System Checkpoint
RP1180: 9/20/2009 4:32:35 AM - System Checkpoint
RP1181: 9/21/2009 7:53:05 PM - System Checkpoint
RP1182: 9/23/2009 12:24:51 AM - Removed Command & Conquer 3.
RP1183: 9/23/2009 11:47:32 PM - Installed Ventrilo Client
RP1184: 9/24/2009 3:03:21 AM - Installed Sid Meier's Pirates!
RP1185: 9/26/2009 4:22:27 AM - System Checkpoint
RP1186: 9/27/2009 12:52:29 PM - System Checkpoint
RP1187: 9/28/2009 7:37:26 PM - System Checkpoint
RP1188: 9/30/2009 12:13:29 AM - System Checkpoint
RP1189: 10/1/2009 9:58:06 AM - SPTD setup V1.58
RP1190: 10/2/2009 12:48:20 PM - System Checkpoint
RP1191: 10/2/2009 8:42:10 PM - Installed Tom Clancy's Rainbow Six Vegas 2
RP1192: 10/2/2009 8:56:18 PM - Installed DirectX
RP1193: 10/5/2009 1:26:09 AM - System Checkpoint
RP1194: 10/5/2009 3:34:25 PM - Avg8 Update
RP1195: 10/5/2009 3:36:29 PM - Avg8 Update
RP1196: 10/7/2009 4:53:59 AM - System Checkpoint
RP1197: 10/7/2009 8:14:28 AM - Avg8 Update
RP1198: 10/8/2009 5:52:09 PM - System Checkpoint
RP1199: 10/10/2009 12:44:22 AM - System Checkpoint
RP1200: 10/12/2009 12:27:51 AM - System Checkpoint
RP1201: 10/12/2009 12:33:56 PM - Removed Supreme Commander: Forged Alliance (TM)
RP1202: 10/12/2009 12:35:11 PM - Removed Tom Clancy's Rainbow Six Vegas 2
RP1203: 10/13/2009 3:00:26 AM - Software Distribution Service 3.0
RP1204: 10/14/2009 3:00:49 AM - Software Distribution Service 3.0
RP1205: 10/14/2009 2:25:14 PM - Software Distribution Service 3.0
RP1206: 10/15/2009 3:20:59 PM - System Checkpoint
RP1207: 10/17/2009 3:00:54 AM - Software Distribution Service 3.0
RP1208: 10/18/2009 3:00:53 AM - Software Distribution Service 3.0
RP1209: 10/18/2009 9:09:21 AM - Avg8 Update
RP1210: 10/20/2009 3:00:26 AM - Software Distribution Service 3.0
RP1211: 10/21/2009 3:32:13 AM - System Checkpoint
RP1212: 10/21/2009 9:09:16 AM - Avg8 Update
RP1213: 10/21/2009 10:23:57 PM - Installed DirectX
RP1214: 10/22/2009 10:36:11 PM - System Checkpoint
RP1215: 10/24/2009 12:24:19 AM - System Checkpoint
RP1216: 10/25/2009 1:04:10 AM - System Checkpoint
RP1217: 10/26/2009 2:04:13 AM - System Checkpoint
RP1218: 10/28/2009 3:35:13 AM - System Checkpoint
RP1219: 10/29/2009 3:55:24 PM - System Checkpoint
RP1220: 11/3/2009 10:50:22 AM - Avg8 Update
RP1221: 11/4/2009 4:00:28 AM - Software Distribution Service 3.0
RP1222: 11/4/2009 2:36:33 PM - Installed LogMeIn Hamachi
RP1223: 11/4/2009 5:05:36 PM - Removed LogMeIn Hamachi
RP1224: 11/5/2009 5:54:12 PM - System Checkpoint
RP1225: 11/6/2009 9:14:16 AM - Avg8 Update
RP1226: 11/7/2009 11:37:13 AM - System Checkpoint
RP1227: 11/7/2009 1:35:51 PM - Installed Star Wars®: Knights of the Old Republic (TM)
RP1228: 11/8/2009 4:07:55 AM - Installed Soul of the Ultimate Nation
RP1229: 11/8/2009 4:23:25 AM - Installed ijji REACTOR
RP1230: 11/8/2009 8:04:37 PM - Removed Sid Meier's Pirates!
RP1231: 11/8/2009 8:39:31 PM - Installed BrightShadow
RP1232: 11/9/2009 4:50:52 PM - Removed Rhapsody Player Engine
RP1233: 11/9/2009 4:53:46 PM - Removed Dell Support 3.2.1
RP1234: 11/9/2009 4:54:40 PM - Removed Roxio DLA
RP1235: 11/9/2009 4:55:02 PM - Removed Roxio Express Labeler
RP1236: 11/9/2009 4:55:30 PM - Removed Roxio MyDVD LE
RP1237: 11/9/2009 4:55:45 PM - Removed Roxio RecordNow Audio
RP1238: 11/9/2009 4:55:57 PM - Removed Roxio RecordNow Copy
RP1239: 11/9/2009 4:56:14 PM - Removed Roxio RecordNow Data
RP1240: 11/9/2009 7:45:10 PM - Installed DirectX
RP1241: 11/9/2009 7:45:53 PM - Installed RESIDENT EVIL 5.
RP1242: 11/9/2009 8:25:27 PM - Installed DirectX
RP1243: 11/9/2009 9:14:47 PM - Installed ATI Catalyst Control Center
RP1244: 11/9/2009 10:25:36 PM - Removed RESIDENT EVIL 5.
RP1245: 11/11/2009 5:25:51 PM - Removed BrightShadow
RP1246: 11/11/2009 6:08:13 PM - Installed BrightShadow
RP1247: 11/12/2009 12:43:05 AM - Removed Oblivion - The Wizard's Tower
RP1248: 11/12/2009 12:43:59 AM - Removed Oblivion - The Vile Lair
RP1249: 11/12/2009 12:44:20 AM - Removed Oblivion - The Thieves Den
RP1250: 11/12/2009 12:44:52 AM - Removed Oblivion - Spell Tomes
RP1251: 11/12/2009 12:45:14 AM - Removed Oblivion - Orrery
RP1252: 11/12/2009 12:46:00 AM - Removed Oblivion - Mehrunes Razor
RP1253: 11/12/2009 12:46:21 AM - Removed Oblivion - Knights of the Nine
RP1254: 11/12/2009 12:47:04 AM - Removed Oblivion - Construction Set
RP1255: 11/12/2009 12:47:33 AM - Removed Oblivion
RP1256: 11/12/2009 1:00:05 AM - Installed Oblivion
RP1257: 11/12/2009 1:00:12 AM - Installed DirectX 9.0
RP1258: 11/12/2009 2:35:10 AM - Removed Oblivion
RP1259: 11/12/2009 2:36:35 AM - Installed Oblivion
RP1260: 11/12/2009 2:36:43 AM - Installed DirectX 9.0
RP1261: 11/12/2009 3:10:01 AM - Before removal of RIRURURU.DLL
RP1262: 11/12/2009 3:29:05 AM - Removed ijji REACTOR
RP1263: 11/12/2009 4:51:55 AM - Removed Soul of the Ultimate Nation
RP1264: 11/13/2009 4:24:34 AM - Installed Oblivion - Horse Armor Pack
RP1265: 11/13/2009 4:25:37 AM - Installed Oblivion - Knights of the Nine
RP1266: 11/13/2009 4:26:11 AM - Installed Oblivion - Mehrunes Razor
RP1267: 11/13/2009 4:26:30 AM - Installed Oblivion - Orrery
RP1268: 11/13/2009 4:26:47 AM - Installed Oblivion - Spell Tomes
RP1269: 11/13/2009 4:27:03 AM - Installed Oblivion - The Thieves Den
RP1270: 11/13/2009 4:27:21 AM - Installed Oblivion - The Vile Lair
RP1271: 11/13/2009 4:27:38 AM - Installed Oblivion - The Wizard's Tower
RP1272: 11/13/2009 6:20:54 PM - Installed Oblivion - Construction Set
RP1273: 11/16/2009 7:44:46 AM - System Checkpoint
RP1274: 11/17/2009 12:23:43 AM - Software Distribution Service 3.0
RP1275: 11/17/2009 12:36:36 AM - Software Distribution Service 3.0
RP1276: 11/17/2009 1:09:41 PM - Removed Oblivion - The Wizard's Tower
RP1277: 11/17/2009 1:10:17 PM - Removed Oblivion - The Vile Lair
RP1278: 11/17/2009 1:10:38 PM - Removed Oblivion - The Thieves Den
RP1279: 11/17/2009 1:11:06 PM - Removed Oblivion - Spell Tomes
RP1280: 11/17/2009 1:11:32 PM - Removed Oblivion - Orrery
RP1281: 11/17/2009 1:11:57 PM - Removed Oblivion - Mehrunes Razor
RP1282: 11/17/2009 1:12:19 PM - Removed Oblivion - Knights of the Nine
RP1283: 11/17/2009 1:12:39 PM - Removed Oblivion - Horse Armor Pack
RP1284: 11/17/2009 1:13:17 PM - Removed Oblivion - Construction Set
RP1285: 11/17/2009 1:13:49 PM - Removed Oblivion
RP1286: 11/17/2009 1:14:32 PM - Removed Pluggy

==== Installed Programs ======================

1503 A.D.
3DSexVilla-017.001 (Cracked)
7-Zip 4.42
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
Advanced Decoder Patch
AGEIA PhysX v7.05.06
All Sound Recorder XP 2.30
AOLIcon
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
AVG Free 8.5
Battlefield 2142
Blender (remove only)
BrightShadow
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CDBurnerXP
CEP (Color Enable Package) v.9.0 (beta)
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro X
Creative Audio Pack
Creative MediaSource 5
Critical Update for Windows Media Player 11 (KB959772)
DAEMON Tools Toolbar
Dawn Of War
Dawn Of War - Winter Assault
DDS Converter 2.1
DDS Thumbnail Viewer
Dell CinePlayer
Dell Driver Reset Tool
Dell System Restore
Digital Content Portal
Direct KiSS
DivX Codec
DivX Converter
Documentation & Support Launcher
EA Download Manager
ERUNT 1.1j
Fraps (remove only)
Free Download Manager 2.5
Game Booster
Games, Music, & Photos Launcher
GameSpot Download Manager
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
IGN Download Manager 2.3.4
Impulse
Indeo® Software
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Learn2 Player (Uninstall Only)
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft FrontPage Client - English
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
Microsoft XML Parser
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NameMage
NifSkope (remove only)
NVIDIA DDS Utilities
NVIDIA Photoshop Plug-ins
Pando Media Booster
PowerISO
PunkBuster Services
Python 2.5
Q-Xpress Installer 1.1.9
QuickTime
Rappelz Epic3
RealPlayer Basic
Rohan_RBF
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skins
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Spybot - Search & Destroy
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Star Wars®: Knights of the Old Republic (TM)
Symantec KB-DocID:2003093015493306
TBS WMP Plug-in
The Drawing Board v2 Beta
The Drawing Board v2 Beta (C:\Program Files\The Drawing Board\)
The Drawing Board v2 Beta (C:\Program Files\The Drawing Board\) #3
The Drawing Board v2 Beta (C:\Program Files\The Drawing Board\) #5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Vehicle Factory
Ventrilo Client
Viewpoint Media Player
Visual Studio.NET Baseline - English
Vuze
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Wings 3D 0.98.32a
WinRAR archiver
World of Warcraft
wxPython 2.8.1.1 (ansi) for Python 2.5
Xfire (remove only)
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/17/2009 12:28:47 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {B20E899D-B079-479D-A4DC-10F758D9CD9A}
11/16/2009 4:42:16 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DADSLAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{16B3784B-DB13-4D5. The master browser is stopping or an election is being forced.
11/15/2009 6:25:45 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
11/13/2009 12:24:18 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
11/13/2009 12:24:18 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2009 5:48:50 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/12/2009 5:26:31 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
11/12/2009 4:18:51 AM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
11/12/2009 3:23:13 AM, error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
11/12/2009 3:23:13 AM, error: Service Control Manager [7000] - The BuddyVM service failed to start due to the following error: The system cannot find the path specified.
11/12/2009 3:18:42 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2009 3:18:42 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2009 3:18:42 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/12/2009 3:17:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/12/2009 3:17:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/12/2009 3:17:30 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/12/2009 3:17:19 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
11/12/2009 12:39:44 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

and here is sysprot

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 684
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 820
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 992
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1080
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1184
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1224
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1500
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1592
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1804
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehtray.exe
PID: 1952
Hidden: No
Window Visible: No

Name: C:\WINDOWS\stsystra.exe
PID: 1964
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PID: 1976
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PID: 1988
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 1996
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PID: 252
Hidden: No
Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 572
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\svchost.exe
PID: 1260
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1652
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PID: 1724
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\CTSVCCDA.EXE
PID: 1780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehrecvr.exe
PID: 1820
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 1936
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PID: 304
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\RMSvc.exe
PID: 544
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2120
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 2128
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\McrdSvc.exe
PID: 2632
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe
PID: 2668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dllhost.exe
PID: 3216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3436
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehmsas.exe
PID: 3668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 884
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2892
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Kenny\Desktop\SysProt\SysProt.exe
PID: 712
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Kenny\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A1203000
Module End: A120E000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7B44000
Module End: F7B46000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7A54000
Module End: F7A57000
Hidden: No

Module Name: spwy.sys
Service Name: ---
Module Base: F7442000
Module End: F7543000
Hidden: Yes

Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: F7B46000
Module End: F7B48000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F742A000
Module End: F7442000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F73FC000
Module End: F742A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F73EB000
Module End: F73FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7644000
Module End: F764E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7654000
Module End: F765F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F73CC000
Module End: F73EB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7B48000
Module End: F7B4A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F73A6000
Module End: F73CC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F78C4000
Module End: F78C9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7664000
Module End: F7671000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys
Service Name: iaStor
Module Base: F72EF000
Module End: F73A6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7674000
Module End: F767D000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F7684000
Module End: F7691000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F72CF000
Module End: F72EF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F72BD000
Module End: F72CF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7694000
Module End: F769D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F72A6000
Module End: F72BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F7293000
Module End: F72A6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F7206000
Module End: F7293000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F71D9000
Module End: F7206000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F71BF000
Module End: F71D9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F77F4000
Module End: F77FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F62B9000
Module End: F666F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F62A5000
Module End: F62B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F796C000
Module End: F7972000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6248000
Module End: F626C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7974000
Module End: F797C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F6220000
Module End: F6248000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7804000
Module End: F7814000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F797C000
Module End: F7984000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7814000
Module End: F781F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7824000
Module End: F7834000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7834000
Module End: F7843000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F61FD000
Module End: F6220000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\ahjlp85q.SYS
Service Name: ---
Module Base: F61C5000
Module End: F61FD000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\ELacpi.sys
Service Name: ELacpi
Module Base: F79E4000
Module End: F79EC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fsvga.sys
Service Name: FsVga
Module Base: F7B24000
Module End: F7B27000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7C6F000
Module End: F7C70000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7844000
Module End: F7851000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7B28000
Module End: F7B2B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F61AE000
Module End: F61C5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7854000
Module End: F785F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7864000
Module End: F7870000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F79EC000
Module End: F79F1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F619D000
Module End: F61AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7874000
Module End: F787D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F79F4000
Module End: F79F9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F79FC000
Module End: F7A01000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F616D000
Module End: F619D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7884000
Module End: F788E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7A04000
Module End: F7A0A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7A0C000
Module End: F7A12000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7B86000
Module End: F7B88000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F610F000
Module End: F616D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F718A000
Module End: F718E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7754000
Module End: F775E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7784000
Module End: F7793000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7B9A000
Module End: F7B9C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sthda.sys
Service Name: STHDA
Module Base: AD99D000
Module End: ADAAD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: AD979000
Module End: AD99D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F77B4000
Module End: F77C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\monfilt.sys
Service Name: monfilt
Module Base: AD825000
Module End: AD979000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F7B1C000
Module End: F7B1F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7BD4000
Module End: F7BD6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7D3D000
Module End: F7D3E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7BD6000
Module End: F7BD8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7994000
Module End: F799B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: ---
Module Base: F799C000
Module End: F79A2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7BD8000
Module End: F7BDA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7BDA000
Module End: F7BDC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F79A4000
Module End: F79A9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F79AC000
Module End: F79B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F5EB2000
Module End: F5EB5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: ABD23000
Module End: ABD36000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: ABCCA000
Module End: ABD23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: ABCA2000
Module End: ABCCA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: ABC7C000
Module End: ABCA2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: ABC5A000
Module End: ABC7C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F4D3A000
Module End: F4D43000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F4D2A000
Module End: F4D33000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Service Name: SCDEmu
Module Base: F79B4000
Module End: F79BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: ABC07000
Module End: ABC32000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: ABB97000
Module End: ABC07000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F4D1A000
Module End: F4D25000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: ACFA3000
Module End: ACFA6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: ACC86000
Module End: ACC8F000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\Elhid.sys
Service Name: ELhid
Module Base: F7B20000
Module End: F7B23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: ABD76000
Module End: ABD7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: ABC4E000
Module End: ABC52000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\Elmou.sys
Service Name: ELmou
Module Base: F7BF0000
Module End: F7BF2000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\Elmon.sys
Service Name: ELmon
Module Base: F7BF2000
Module End: F7BF4000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
Service Name: ELkbd
Module Base: F7BF4000
Module End: F7BF6000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Service Name: eeCtrl
Module Base: A9808000
Module End: A9868000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: ABD6E000
Module End: ABD74000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: A97B7000
Module End: A9808000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: ABC46000
Module End: ABC49000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: A3F3D000
Module End: A3F61000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Udfs.SYS
Service Name: Udfs
Module Base: A3F2C000
Module End: A3F3D000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A3E75000
Module End: A3F2C000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: ABC3E000
Module End: ABC41000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: ABD56000
Module End: ABD5B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: A430F000
Module End: A4310000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A5FE2000
Module End: A5FE6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A1B48000
Module End: A1B5D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AE143000
Module End: AE152000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ctusfsyn.sys
Service Name: CTUSFSYN
Module Base: A1AD3000
Module End: A1AFA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
Service Name: ossrv
Module Base: A1AA3000
Module End: A1AD3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
Service Name: ctsfm2k
Module Base: A1A7D000
Module End: A1AA3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A1861000
Module End: A188E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Service Name: ASCTRM
Module Base: F7B76000
Module End: F7B78000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Service Name: atksgt
Module Base: A17F6000
Module End: A1839000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A16ED000
Module End: A172E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Service Name: lirsgt
Module Base: A8677000
Module End: A867C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\MCSTRM.SYS
Service Name: MCSTRM
Module Base: F7BB0000
Module End: F7BB2000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\PfModNT.sys
Service Name: PfModNT
Module Base: A160D000
Module End: A1625000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A15BB000
Module End: A160D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: A14E3000
Module End: A14ED000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
Service Name: symlcbrd
Module Base: F7904000
Module End: F790A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e1e5132.sys
Service Name: e1express
Module Base: A0EEF000
Module End: A0F28000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F74430E0
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwEnumerateKey
Address: F7461CA4
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwEnumerateValueKey
Address: F7462032
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwOpenKey
Address: F74430C0
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwQueryKey
Address: F746210A
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwQueryValueKey
Address: F7461F8A
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

Function Name: ZwSetValueKey
Address: F746219C
Driver Base: F7442000
Driver End: F7543000
Driver Name: spwy.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Kenny\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Kenny\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Kenny\Recent\Private Armor Ecup v1.2.lnk
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}
Status: Access denied

km2357

2009-11-19, 22:11

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Vuze

I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.

Also available here (http://forum.malwareremoval.com/viewtopic.php?t=23812&sid=a609c56441d8a2e5dc8d24e3e96420cc).

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Also, looking through your attach Log, I see that you have a cracked program installed on your computer. In the future, please do not install any cracks/warez as they can easily infect/reinfect your computer and are a waste of time.

Go to Add/Remove Programs and uninstall the following:

3DSexVilla-017.001 (Cracked)

Reboot your computer once its been uninstalled.

Let me know when you've removed the game/program and we'll continue. :)

undeadwolf7

2009-11-20, 03:42

I have uninstalled

Vuze from my system

but i can not find any entry on

3DSexVilla-017.001 (Cracked)

in the add remove programs, or even with a windows search for it

km2357

2009-11-20, 07:27

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

undeadwolf7

2009-11-20, 10:32

Here is the requested log file please let me know if you want it a different way

ComboFix 09-11-19.05 - Kenny 11/20/2009 3:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.452 [GMT -5:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}
c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}\chrome.manifest
c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}\chrome\content\_cfg.js
c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}\chrome\content\c.js
c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}\chrome\content\overlay.xul
c:\documents and settings\Family\Local Settings\Application Data\{ADFFA9C6-7DC3-4F64-B103-E9C606A2FC36}\install.rdf
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}\chrome.manifest
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}\chrome\content\_cfg.js
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}\chrome\content\c.js
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}\chrome\content\overlay.xul
c:\documents and settings\Kenny\Local Settings\Application Data\{8651ACE7-2EFF-4A6F-A91B-0109AFDE821C}\install.rdf
c:\documents and settings\Kenny\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kenny\Local Settings\Temporary Internet Files\udRemove.exe
c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\18324090.dll
c:\windows\system32\Cache
c:\windows\system32\Data
c:\windows\system32\xa.tmp

.
((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 08:04 . 2006-07-06 12:59 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-16 12:11 . 2009-11-16 12:11 -------- d-----w- C:\found.003
2009-11-13 16:35 . 2009-11-13 16:35 -------- d-----w- c:\program files\ERUNT
2009-11-12 07:36 . 2009-11-17 18:16 -------- d-----w- c:\program files\Bethesda Softworks
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-11-10 01:25 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-10 01:25 . 2009-09-04 22:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-10 01:25 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-10 00:50 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-11-10 00:50 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-11-10 00:50 . 2008-05-30 19:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-11-10 00:50 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-11-10 00:50 . 2008-05-30 19:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-11-10 00:50 . 2008-05-30 19:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-11-10 00:50 . 2008-05-30 19:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-11-10 00:50 . 2008-03-05 21:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-11-10 00:50 . 2008-03-05 21:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-11-10 00:50 . 2008-03-05 21:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-11-10 00:45 . 2008-03-05 20:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-10 00:45 . 2008-02-06 04:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-10 00:45 . 2008-03-05 20:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-10 00:44 . 2009-11-10 00:44 -------- d-----w- c:\windows\system32\xlive
2009-11-10 00:44 . 2009-11-10 00:45 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-09 01:39 . 2009-11-09 01:39 -------- d-----w- C:\GamepotUSA
2009-11-08 20:11 . 2009-11-08 20:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-08 09:35 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\9c13920.dll
2009-11-08 09:35 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\17d08eb5.dll
2009-11-08 09:25 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\b533e7b.dll
2009-11-08 09:25 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\a3cb000.dll
2009-11-07 00:36 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\dd9c188.dll
2009-11-07 00:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\6b49aca.dll
2009-11-07 00:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\3920f5f4.dll
2009-11-06 13:14 . 2009-10-21 13:09 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-06 02:14 . 2009-11-06 02:14 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-04 22:31 . 2009-11-05 00:50 -------- d-----w- c:\program files\Silkroad
2009-11-04 18:38 . 2009-09-23 14:41 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-04 00:31 . 2009-11-04 00:31 -------- d-----w- c:\documents and settings\Kenny\Application Data\NeopleLauncherDFO
2009-10-29 02:26 . 2009-10-29 02:26 -------- d-----w- c:\program files\IObit
2009-10-22 02:34 . 2009-10-22 02:34 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\Ironclad Games
2009-10-22 02:29 . 2009-10-22 02:38 -------- d-----w- c:\documents and settings\Kenny\Application Data\Stardock
2009-10-22 02:28 . 2009-10-22 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}
2009-10-22 02:28 . 2009-06-04 20:05 2606568 -c--a-w- c:\documents and settings\All Users\Application Data\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}\Impulse_setup.exe
2009-10-22 02:27 . 2009-10-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-10-22 02:26 . 2009-11-09 01:27 -------- dc-h--w- c:\documents and settings\Kenny\Local Settings\Application Data\~0
2009-10-22 02:22 . 2009-10-22 02:22 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\PackageAware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 02:04 . 2007-11-24 02:33 100880 -c--a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-20 01:36 . 2009-06-18 14:32 -------- d-----w- c:\program files\X-Change 3
2009-11-20 01:36 . 2007-04-23 12:18 -------- d-----w- c:\program files\xc2
2009-11-20 01:33 . 2007-02-04 04:31 737280 -c--a-w- c:\windows\iun6002.exe
2009-11-19 06:28 . 2008-12-10 09:34 -------- d-----w- c:\documents and settings\Kenny\Application Data\Xfire
2009-11-18 07:07 . 2008-12-10 09:34 -------- d-----w- c:\program files\Xfire
2009-11-17 22:08 . 2007-02-03 23:26 -------- d-----w- c:\program files\EA GAMES
2009-11-17 18:13 . 2007-01-16 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 12:19 . 2008-09-30 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-14 03:02 . 2008-11-01 18:46 0 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\prvlcl.dat
2009-11-13 17:52 . 2007-05-25 12:51 -------- d-----w- c:\program files\Winamp
2009-11-13 05:22 . 2007-06-21 12:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-12 08:19 . 2007-08-25 23:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-12 05:51 . 2007-01-28 03:20 -------- d-----w- c:\program files\LucasArts
2009-11-12 03:10 . 2009-08-20 10:57 -------- d-----w- c:\program files\World of Warcraft
2009-11-10 02:15 . 2007-01-16 18:16 -------- d-----w- c:\program files\ATI Technologies
2009-11-09 22:00 . 2009-09-17 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-09 21:59 . 2009-09-17 20:03 -------- d-----w- c:\program files\IGN
2009-11-09 21:59 . 2007-01-26 06:30 -------- d-----w- c:\documents and settings\Kenny\Application Data\IGN_DLM
2009-11-09 21:56 . 2007-01-16 18:20 -------- d-----w- c:\program files\Roxio
2009-11-09 21:56 . 2007-01-16 18:17 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-09 21:53 . 2007-11-24 02:33 -------- d--h--w- c:\documents and settings\Family\Application Data\Gtek
2009-11-09 21:53 . 2007-05-03 23:35 -------- d--h--w- c:\documents and settings\MCX1\Application Data\Gtek
2009-11-09 21:53 . 2007-01-18 04:05 -------- d--h--w- c:\documents and settings\Kenny\Application Data\Gtek
2009-11-09 21:53 . 2007-01-16 18:26 -------- d--h--w- c:\documents and settings\Administrator\Application Data\GTek
2009-11-09 21:53 . 2007-07-17 07:00 -------- d-----w- c:\program files\Doushin
2009-11-09 21:50 . 2007-01-16 18:19 -------- d-----w- c:\program files\Real
2009-11-09 21:50 . 2007-01-20 03:22 -------- d-----w- c:\program files\Rhapsody
2009-11-08 23:21 . 2007-03-25 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 00:11 . 2009-03-28 01:22 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-11-04 00:11 . 2009-03-28 01:22 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-11-04 00:11 . 2009-03-28 01:22 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-11-04 00:11 . 2009-03-28 01:22 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-11-04 00:11 . 2009-03-28 01:22 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-11-04 00:11 . 2009-03-28 01:22 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-11-03 23:42 . 2009-03-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-10-22 02:27 . 2007-07-03 01:51 -------- d-----w- c:\program files\Stardock
2009-10-18 13:09 . 2009-10-18 13:09 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-14 07:06 . 2007-01-16 18:25 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 16:36 . 2009-08-22 15:46 -------- d-----w- c:\program files\Warcraft III
2009-10-05 19:32 . 2009-10-03 00:40 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-03 00:58 . 2009-10-03 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-10-03 00:57 . 2009-09-17 21:41 22328 ----a-w- c:\documents and settings\Kenny\Application Data\PnkBstrK.sys
2009-10-03 00:57 . 2009-09-17 21:41 22328 ----a-w- c:\documents and settings\Kenny\Application Data\PnkBstrK.sys
2009-10-03 00:57 . 2007-07-11 02:25 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 00:57 . 2007-07-11 02:24 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 00:57 . 2009-09-17 21:40 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-03 00:57 . 2007-07-11 02:24 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:42 . 2009-10-03 00:42 -------- d-----w- c:\program files\Ubisoft
2009-10-03 00:41 . 2008-12-29 04:17 -------- d-----w- c:\documents and settings\Kenny\Application Data\DAEMON Tools Lite
2009-10-03 00:40 . 2009-10-03 00:40 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-10-03 00:32 . 2007-02-05 01:23 -------- d-----w- c:\documents and settings\Kenny\Application Data\Azureus
2009-10-02 19:44 . 2008-01-08 06:13 -------- d-----w- c:\documents and settings\Kenny\Application Data\Free Download Manager
2009-10-02 19:15 . 2007-05-25 12:51 -------- d-----w- c:\documents and settings\Kenny\Application Data\Winamp
2009-10-01 13:58 . 2008-12-29 04:17 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-24 07:03 . 2009-09-24 07:03 -------- d-----w- c:\program files\Firaxis Games
2009-09-24 04:04 . 2009-09-24 03:50 -------- d-----w- c:\documents and settings\Kenny\Application Data\Ventrilo
2009-09-24 03:47 . 2009-09-24 03:47 -------- d-----w- c:\program files\Ventrilo
2009-09-24 03:46 . 2008-03-04 19:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-23 15:41 . 2009-09-23 15:41 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-09-23 04:25 . 2007-03-29 00:11 -------- d-----w- c:\program files\Electronic Arts
2009-09-21 21:18 . 2009-09-21 17:39 -------- d-----w- c:\program files\Turbine
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:44 . 2009-11-10 00:51 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 02:52 . 2008-04-02 05:02 98304 -c--a-w- c:\windows\system32CmdLineExt.dll
2009-08-29 07:36 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:04 . 2009-08-25 22:04 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2007-05-03 23:46 . 2007-02-05 10:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-16 98304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 12:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"PnkBstrA"=2 (0x2)
"npkcmsvc"=2 (0x2)
"npggsvc"=3 (0x3)
"NMSAccessU"=2 (0x2)
"mnmsrvc"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"DNADownloader"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrB"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\PortableMudMaster\\MudMaster.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"17771:UDP"= 17771:UDP:Two Worlds
"58713:TCP"= 58713:TCP:Pando Media Booster
"58713:UDP"= 58713:UDP:Pando Media Booster
"59062:TCP"= 59062:TCP:Pando Media Booster
"59062:UDP"= 59062:UDP:Pando Media Booster
"58985:TCP"= 58985:TCP:Pando Media Booster
"58985:UDP"= 58985:UDP:Pando Media Booster
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/28/2008 11:17 PM 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/30/2008 12:22 AM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/30/2008 12:22 AM 297752]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva284;XDva284;\??\c:\windows\system32\XDva284.sys --> c:\windows\system32\XDva284.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\vgtyytk2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\vgtyytk2.default\extensions\CSLauncher@cyberstep.com\plugins\npCsLauncher.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll
SharedTaskScheduler-{11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
SSODL-bibelefoh-{d9017acf-52af-48d4-81b4-a9c261dc8a08} - c:\windows\system32\rirururu.dll
SSODL-bakepahur-{11f06a01-4b2c-4fe9-bd04-1a2190c3bdb9} - c:\windows\system32\godohavu.dll
AddRemove-7-Zip - e:\program files\7-Zip\Uninstall.exe
AddRemove-All Sound Recorder XP_is1 - c:\program files\All Sound Recorder XP\unins000.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-GameSpotDownloadManager - c:\program files\GameSpot\uninstall.exe
AddRemove-IGN Download Manager - c:\program files\IGN\Download Manager\uninst.exe
AddRemove-Rohan_RBF - c:\rohan_global\GoUninstRBF.exe
AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
AddRemove-{ECCA8FE7-767A-4C8A-9DAA-BAB60F877C41} - c:\documents and settings\Kenny\Local Settings\Application Data\{DF6E6A21-48E9-4FBD-B0B2-9E838A1DFED0}\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 03:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spuq.sys hal.dll >>UNKNOWN [0x86F86938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76b7f28
\Driver\ACPI -> ACPI.sys @ 0xf7431cb8
\Driver\iaStor -> iaStor.sys @ 0xf7356150
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf721dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf722aa21
SendHandler -> NDIS.sys @ 0xf720887b
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x4FC2 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x4FC2 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x8CBE != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x8F80 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0xD884 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0xD9E4 != 0xF7356150 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167047611-3067674008-2036097901-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4f,32,ca,1e,d7,09,58,34,85,74,41,5d,06,e9,73,3f,a5,b8,50,dd,35,b6,0e,
96,8b,e7,a1,30,79,81,08,bd,94,8c,d8,e9,4c,7d,03,58,03,ee,0b,42,8e,1a,e3,4e,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-3167047611-3067674008-2036097901-1006\Software\SecuROM\License information*]
"datasecu"=hex:3b,08,4c,83,8c,d2,5a,87,19,b1,11,4e,85,30,77,85,34,46,3a,d6,c7,
20,3a,ad,e3,30,3a,61,bc,7a,1b,af,8d,1e,b0,c9,19,a8,d2,0e,1f,9c,e5,26,00,29,\
"rkeysecu"=hex:2d,50,a1,70,eb,32,e2,36,42,75,89,3a,8a,db,d6,0c

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{114866E9-7C82-20F7-16C3063A4CAB25A4}\{3FC78BFC-C5A7-A764-C3D11931F655D68A}\{CA848313-C322-9D26-10260A1412DD57C5}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29C7572E-368C-9746-3DB4E03B0C8852AE}\{D5583F53-2F82-8141-B7E22169E34927D8}\{884189AF-2B25-871B-C10F8549E6A3D936}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3C314B03-F43E-BA89-952BA1DFD2D5EFE8}\{7539A87C-0FED-33C5-609B84E8BF01550C}\{B9902A55-37BA-35DE-AA3E0A7380F9249D}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,c9,9f,ac,
8e,92,50,2c,f7,8d,73,0e,55,c6,b9,8f,ce,6d,42,5e,de,26,16,ad,d5,92,7f,d2,0e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47761F54-3284-4187-35228790176E1027}\{9364B136-59D9-79F3-ED3B0078FC46782B}\{67D1DB51-467A-B17B-59ADF812AC6D3A34}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{61F22E4F-B27F-AFC4-A522A9C3D24CB12E}\{1AB70131-6AEF-F29E-373C8656BA527ED6}\{4909E9D0-65F5-FEDD-EF93FC8CC6374EF9}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6283EF60-5306-646F-3E2A60A6F3147012}\{EC258BE5-E5B0-C834-EB7A48F96467BF3F}\{829C9D27-3E4A-4D61-8C18630CF0B6A85C}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75213A09-BF18-CDCA-476AD0C74F911579}\{60ECD51F-CC80-5083-F2221FA8EEB126FE}\{82B5FD34-7E39-B473-9523AE140A4D16E3}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8CD4472C-E90F-9EEE-8658179FAD84CDE4}\{86C14694-A4A0-6014-B9D2B6867C4357D1}\{413E2BB7-2C4D-BBD1-7F39BC4CF716110E}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}\{25E342AA-73A9-1FC4-4AC5C50BDBE96017}\{04863130-DE8E-7A09-D0B765EBFF2273E8}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C19175F0-6343-C058-D551EA9B69721CA5}\{44B8D0A6-F0B8-27D0-3AB262946B96BF2A}\{D0951FF3-5F85-5129-204F105C4943049E}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,c9,9f,ac,
8e,92,50,2c,f7,8d,73,0e,55,c6,b9,8f,ce,6d,42,5e,de,26,16,ad,d5,92,7f,d2,0e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E9204BC4-9B67-A3A7-9418040E7EC7E28B}\{1ACE6D24-C4A9-397B-64EF395CC2F330B1}\{685A2618-4C9F-7737-7DE531E9434892E2}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FF3E9388-AC5C-78BA-ADD2DEDBC8CD3822}\{3A1287C7-66E7-369B-1F735B898390688C}\{D7B36791-6000-8B4A-CB886D7CE3F1E4AE}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\eHome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-20 03:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 08:25

Pre-Run: 88,956,252,160 bytes free
Post-Run: 89,076,764,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 34496AD8CABBC35D68B06ECEA7C895F3

km2357

2009-11-20, 22:37

The way you posted the ComboFix Log was just fine. :)

Step # 1 Upload Files

Go to Jotti (http://virusscan.jotti.org)
Copy the following line into the white textbox:
c:\windows\system32\drivers\iaStor.sys
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

c:\windows\system32\9c13920.dll
c:\windows\system32\17d08eb5.dll

If Jotti is busy, Go to VirusTotal (http://www.virustotal.com/en/indexf.html) and scan the file(s) there.

undeadwolf7

2009-11-20, 22:46

Scans

Scan of iastor.sys

Filename: iaStor.sys
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 20 Nov 2009 21:40:51 (CET) Permalink

File size: 246784 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 019cf5f31c67030841233c545a0e217a
SHA1: 57f164f409a35520f4cb43556d5330887879e984

[ArcaVir]
2009-11-20 Found nothing
[G DATA]
2009-11-20 Found nothing
[A-Squared]
2009-11-20 Found nothing
[Ikarus]
2009-11-20 Found nothing
[Avast! antivirus]
2009-11-20 Found nothing
[Kaspersky Anti-Virus]
2009-11-20 Found nothing
[Grisoft AVG Anti-Virus]
2009-11-20 Found nothing
[ESET NOD32]
2009-11-20 Found nothing
[Avira AntiVir]
2009-11-20 Found nothing
[Norman Virus Control]
2009-11-04 Found nothing
[Softwin BitDefender]
2009-11-20 Found nothing
[Panda Antivirus]
2009-11-20 Found nothing
[ClamAV]
2009-11-20 Found nothing
[Quick Heal]
2009-11-20 Found nothing
[CPsecure]
2009-11-20 Found nothing
[Sophos]
2009-11-17 Found nothing
[Dr.Web]
2009-11-20 Found nothing
[VirusBlokAda VBA32]
2009-11-19 Found nothing
[Frisk F-Prot Antivirus]
2009-11-20 Found nothing
[VirusBuster]
2009-11-13 Found nothing
[F-Secure Anti-Virus]
2009-11-20 Found nothing

Scan of c:\windows\system32\9c13920.dll

Filename: ws2_32.dll
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 6 Nov 2009 12:41:39 (CET) Permalink

File size: 82432 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a
SHA1: 7cf3366c68e402eb3678046fe97651a586044560

[ArcaVir]
2009-11-06 Found nothing
[G DATA]
2009-11-06 Found nothing
[A-Squared]
2009-11-06 Found nothing
[Ikarus]
2009-11-06 Found nothing
[Avast! antivirus]
2009-11-06 Found nothing
[Kaspersky Anti-Virus]
2009-11-06 Found nothing
[Grisoft AVG Anti-Virus]
2009-11-06 Found nothing
[ESET NOD32]
2009-11-06 Found nothing
[Avira AntiVir]
2009-11-06 Found nothing
[Norman Virus Control]
2009-11-05 Found nothing
[Softwin BitDefender]
2009-11-06 Found nothing
[Panda Antivirus]
2009-11-05 Found nothing
[ClamAV]
2009-11-06 Found nothing
[Quick Heal]
2009-11-06 Found nothing
[CPsecure]
2009-11-06 Found nothing
[Sophos]
2009-11-06 Found nothing
[Dr.Web]
2009-11-06 Found nothing
[VirusBlokAda VBA32]
2009-11-05 Found nothing
[Frisk F-Prot Antivirus]
2009-11-06 Found nothing
[VirusBuster]
2009-11-05 Found nothing
[F-Secure Anti-Virus]
2009-11-06 Found nothing

Scan of c:\windows\system32\17d08eb5.dll

Filename: ws2_32.dll
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 6 Nov 2009 12:41:39 (CET) Permalink

File size: 82432 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a
SHA1: 7cf3366c68e402eb3678046fe97651a586044560

[ArcaVir]
2009-11-06 Found nothing
[G DATA]
2009-11-06 Found nothing
[A-Squared]
2009-11-06 Found nothing
[Ikarus]
2009-11-06 Found nothing
[Avast! antivirus]
2009-11-06 Found nothing
[Kaspersky Anti-Virus]
2009-11-06 Found nothing
[Grisoft AVG Anti-Virus]
2009-11-06 Found nothing
[ESET NOD32]
2009-11-06 Found nothing
[Avira AntiVir]
2009-11-06 Found nothing
[Norman Virus Control]
2009-11-05 Found nothing
[Softwin BitDefender]
2009-11-06 Found nothing
[Panda Antivirus]
2009-11-05 Found nothing
[ClamAV]
2009-11-06 Found nothing
[Quick Heal]
2009-11-06 Found nothing
[CPsecure]
2009-11-06 Found nothing
[Sophos]
2009-11-06 Found nothing
[Dr.Web]
2009-11-06 Found nothing
[VirusBlokAda VBA32]
2009-11-05 Found nothing
[Frisk F-Prot Antivirus]
2009-11-06 Found nothing
[VirusBuster]
2009-11-05 Found nothing
[F-Secure Anti-Virus]
2009-11-06 Found nothing

km2357

2009-11-20, 23:11

Step # 1: Run CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

KILLALL::

Driver::

XDva020
XDva190
XDva284

File::

c:\windows\system32\XDva020.sys
c:\windows\system32\XDva190.sys
c:\windows\system32\XDva284.sys

Folder::

c:\program files\IObit
c:\documents and settings\Kenny\Application Data\Azureus

RegNull::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{114866E9-7C82-20F7-16C3063A4CAB25A4}\{3FC78BFC-C5A7-A764-C3D11931F655D68A}\{CA848313-C322-9D26-10260A1412DD57C5}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29C7572E-368C-9746-3DB4E03B0C8852AE}\{D5583F53-2F82-8141-B7E22169E34927D8}\{884189AF-2B25-871B-C10F8549E6A3D936}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3C314B03-F43E-BA89-952BA1DFD2D5EFE8}\{7539A87C-0FED-33C5-609B84E8BF01550C}\{B9902A55-37BA-35DE-AA3E0A7380F9249D}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47761F54-3284-4187-35228790176E1027}\{9364B136-59D9-79F3-ED3B0078FC46782B}\{67D1DB51-467A-B17B-59ADF812AC6D3A34}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4E801B1F-2C34-C71B-55752B4DE71FAE4A}\{6707E13D-DFA5-4083-2A160A7F601D7F5F}\{38345692-AD4C-2D4A-1F4885FC450939AB}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{61F22E4F-B27F-AFC4-A522A9C3D24CB12E}\{1AB70131-6AEF-F29E-373C8656BA527ED6}\{4909E9D0-65F5-FEDD-EF93FC8CC6374EF9}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6283EF60-5306-646F-3E2A60A6F3147012}\{EC258BE5-E5B0-C834-EB7A48F96467BF3F}\{829C9D27-3E4A-4D61-8C18630CF0B6A85C}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75213A09-BF18-CDCA-476AD0C74F911579}\{60ECD51F-CC80-5083-F2221FA8EEB126FE}\{82B5FD34-7E39-B473-9523AE140A4D16E3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8CD4472C-E90F-9EEE-8658179FAD84CDE4}\{86C14694-A4A0-6014-B9D2B6867C4357D1}\{413E2BB7-2C4D-BBD1-7F39BC4CF716110E}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}\{25E342AA-73A9-1FC4-4AC5C50BDBE96017}\{04863130-DE8E-7A09-D0B765EBFF2273E8}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C19175F0-6343-C058-D551EA9B69721CA5}\{44B8D0A6-F0B8-27D0-3AB262946B96BF2A}\{D0951FF3-5F85-5129-204F105C4943049E}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E9204BC4-9B67-A3A7-9418040E7EC7E28B}\{1ACE6D24-C4A9-397B-64EF395CC2F330B1}\{685A2618-4C9F-7737-7DE531E9434892E2}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FF3E9388-AC5C-78BA-ADD2DEDBC8CD3822}\{3A1287C7-66E7-369B-1F735B898390688C}\{D7B36791-6000-8B4A-CB886D7CE3F1E4AE}*]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Note: This CFScript is for use on undeadwolf7's computer only! Do not use it on your computer.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.

undeadwolf7

2009-11-20, 23:57

Here is the Combo Fix log

ComboFix 09-11-19.05 - Kenny 11/20/2009 16:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.506 [GMT -5:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kenny\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\system32\XDva020.sys"
"c:\windows\system32\XDva190.sys"
"c:\windows\system32\XDva284.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kenny\Application Data\Azureus
c:\documents and settings\Kenny\Application Data\Azureus\.certs
c:\documents and settings\Kenny\Application Data\Azureus\.keystore
c:\documents and settings\Kenny\Application Data\Azureus\.lock
c:\documents and settings\Kenny\Application Data\Azureus\active\0A1D7859B41801E2BB52E5EF0D9B480AF14B284B.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\0A1D7859B41801E2BB52E5EF0D9B480AF14B284B.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\B35E908CEB8EE4B0B2C21F80F40A579D0BE84C8C.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\B35E908CEB8EE4B0B2C21F80F40A579D0BE84C8C.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\C92F053540E94E690F6D4A057916C7BFA293F65C.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\C92F053540E94E690F6D4A057916C7BFA293F65C.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\cache.dat
c:\documents and settings\Kenny\Application Data\Azureus\azureus.config
c:\documents and settings\Kenny\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\azureus.statistics
c:\documents and settings\Kenny\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Kenny\Application Data\Azureus\banips.config
c:\documents and settings\Kenny\Application Data\Azureus\banips.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\cnetworks.config
c:\documents and settings\Kenny\Application Data\Azureus\devices.config
c:\documents and settings\Kenny\Application Data\Azureus\devices.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\general.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\version.dat
c:\documents and settings\Kenny\Application Data\Azureus\downloads.config
c:\documents and settings\Kenny\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\filters.config
c:\documents and settings\Kenny\Application Data\Azureus\friends.config
c:\documents and settings\Kenny\Application Data\Azureus\friends.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Kenny\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\CNetworks_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\Devices_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_alerts_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_AutoSpeedSearchHistory_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_clientid_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_CNetworks_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_debug_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_debug_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_Devices_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_Friends_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_Friends_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_MetaSearch_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_NetStatus_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_seltrace_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_seltrace_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_Subscriptions_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_thread_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_thread_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.ads_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.CMsgr_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.Friends_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.Friends_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.PMsgr_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\save\1254528677632_v3.Stream_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Kenny\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Kenny\Application Data\Azureus\metasearch.config
c:\documents and settings\Kenny\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\net\pm_20115.dat
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\plugin.properties
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\documents and settings\Kenny\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.5
c:\documents and settings\Kenny\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Kenny\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\subs\5F78AD8919FF8EA67371.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\737553100CB057ACF094.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subscriptions.config
c:\documents and settings\Kenny\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\tables.config
c:\documents and settings\Kenny\Application Data\Azureus\tables.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU3083676961748198112.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU4916250783419002826.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU6062180317684674421.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU6328486312790936435.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU662012742328735406.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU7501812493614811214.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU8195130111966532817.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU8561358674092229342.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU8662842378364569823.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU8813651221908715772.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU9209065809145152125.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\((Demonoid.com))-Star_Wars_DOS_Game_Collection.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\[HentaiShare].Schoolmate.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\3D_Sexvilla_2_058_002_oxin_s_style__OxS_.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\anox_disc1.iso.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\anox_disc2.iso.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU2647917505123295463.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU3988.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU3992.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU8770666781420321312.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Beastiality.Vids.2[1].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Beastiality.Vids.5[1].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Dr. Comet's Kemono Island.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\DR_COMET_HIS_ENTIRE_WORKS.3737323.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Dr_Comet_Kemono_Islands_Cd_7.4225719.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\FxA_Pleasure_Bon_Bon_2.3522405.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Hentai-manga_Colorful_Princess_by_Youji_Sorimura_Hot_Milk_Comics[www.btmon.com].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Hentai picture compulation [www.Fulldls.com].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\HentaII-3D-2-v2.052.003.3973183.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Hyphen-man____s_Furry_folder_MKII.3829441.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Naruto Hentai Comix [www.Fulldls.com].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Pretty_soldier_wars_AD_2048_[PC-CD]_[English]_.3793070.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Star_Wars_Flight-Sim_Gems(X-Wing_TIE-Fighter__XWA_.3526002.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Teenie.with.the.Big.Dog.MVCD.by.Batista.(Animalsex.Beastiality)..3455321.TPB[1].torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\Tom.Clancys.Rainbow.Six.Vegas.2-RELOADED.4125708.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\XChange_3.4715415.TPB.torrent
c:\documents and settings\Kenny\Application Data\Azureus\torrents\XXX.[beastiality].European.Woman.Gets.Dog.To.Fuck.Her.&.Lick.Pussy[1].torrent
c:\documents and settings\Kenny\Application Data\Azureus\tracker.config
c:\documents and settings\Kenny\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\unsentdata.config
c:\documents and settings\Kenny\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\update.log
c:\documents and settings\Kenny\Application Data\Azureus\update.properties
c:\documents and settings\Kenny\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Kenny\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Kenny\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\IObit
c:\program files\IObit\Game Booster\EULA.rtf
c:\program files\IObit\Game Booster\GameBooster.exe
c:\program files\IObit\Game Booster\GameBooster.ini
c:\program files\IObit\Game Booster\gbinit.exe
c:\program files\IObit\Game Booster\gbtray.exe
c:\program files\IObit\Game Booster\Language\Arabic.lng
c:\program files\IObit\Game Booster\Language\Belarusian.lng
c:\program files\IObit\Game Booster\Language\Brasil.lng
c:\program files\IObit\Game Booster\Language\Catalan.lng
c:\program files\IObit\Game Booster\Language\ChineseSimp.lng
c:\program files\IObit\Game Booster\Language\ChineseTrad.lng
c:\program files\IObit\Game Booster\Language\Croatian.lng
c:\program files\IObit\Game Booster\Language\Czech.lng
c:\program files\IObit\Game Booster\Language\Dansk.lng
c:\program files\IObit\Game Booster\Language\Dutch.lng
c:\program files\IObit\Game Booster\Language\English.lng
c:\program files\IObit\Game Booster\Language\Estonian.lng
c:\program files\IObit\Game Booster\Language\Finnish.lng
c:\program files\IObit\Game Booster\Language\French.lng
c:\program files\IObit\Game Booster\Language\Georgian.lng
c:\program files\IObit\Game Booster\Language\German.lng
c:\program files\IObit\Game Booster\Language\Greek.lng
c:\program files\IObit\Game Booster\Language\Hebrew.lng
c:\program files\IObit\Game Booster\Language\Hungarian.lng
c:\program files\IObit\Game Booster\Language\Indonesian.lng
c:\program files\IObit\Game Booster\Language\Italiano.lng
c:\program files\IObit\Game Booster\Language\Japanese.lng
c:\program files\IObit\Game Booster\Language\Korean.lng
c:\program files\IObit\Game Booster\Language\Lithuanian.lng
c:\program files\IObit\Game Booster\Language\Norwegian.lng
c:\program files\IObit\Game Booster\Language\Persian.lng
c:\program files\IObit\Game Booster\Language\Polish.lng
c:\program files\IObit\Game Booster\Language\Portugal.lng
c:\program files\IObit\Game Booster\Language\Romanian.lng
c:\program files\IObit\Game Booster\Language\Russian.lng
c:\program files\IObit\Game Booster\Language\Slovak.lng
c:\program files\IObit\Game Booster\Language\Spanish.lng
c:\program files\IObit\Game Booster\Language\Swedish.lng
c:\program files\IObit\Game Booster\Language\Turkish.lng
c:\program files\IObit\Game Booster\Language\Ukrainian.lng
c:\program files\IObit\Game Booster\Language\Urdu.lng
c:\program files\IObit\Game Booster\Language\Vietnamese.lng
c:\program files\IObit\Game Booster\unins000.dat
c:\program files\IObit\Game Booster\unins000.exe
c:\program files\IObit\Game Booster\What's new.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA020
-------\Legacy_XDVA190
-------\Legacy_XDVA284
-------\Service_XDva020
-------\Service_XDva190
-------\Service_XDva284

((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 08:04 . 2006-07-06 12:59 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-16 12:11 . 2009-11-16 12:11 -------- d-----w- C:\found.003
2009-11-13 16:35 . 2009-11-13 16:35 -------- d-----w- c:\program files\ERUNT
2009-11-12 07:36 . 2009-11-17 18:16 -------- d-----w- c:\program files\Bethesda Softworks
2009-11-10 02:21 . 2009-11-10 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-11-10 01:25 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-10 01:25 . 2009-09-04 22:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-10 01:25 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-10 01:25 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-10 00:50 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-11-10 00:50 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-11-10 00:50 . 2008-05-30 19:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-11-10 00:50 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-11-10 00:50 . 2008-05-30 19:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-11-10 00:50 . 2008-05-30 19:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-11-10 00:50 . 2008-05-30 19:11 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-11-10 00:50 . 2008-03-05 21:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-11-10 00:50 . 2008-03-05 21:03 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-11-10 00:50 . 2008-03-05 21:00 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-11-10 00:45 . 2008-03-05 20:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-10 00:45 . 2008-02-06 04:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-10 00:45 . 2008-03-05 20:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-10 00:44 . 2009-11-10 00:44 -------- d-----w- c:\windows\system32\xlive
2009-11-10 00:44 . 2009-11-10 00:45 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-09 01:39 . 2009-11-09 01:39 -------- d-----w- C:\GamepotUSA
2009-11-08 20:11 . 2009-11-08 20:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-08 09:35 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\9c13920.dll
2009-11-08 09:35 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\17d08eb5.dll
2009-11-08 09:25 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\b533e7b.dll
2009-11-08 09:25 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\a3cb000.dll
2009-11-07 00:36 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\dd9c188.dll
2009-11-07 00:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\6b49aca.dll
2009-11-07 00:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\3920f5f4.dll
2009-11-06 13:14 . 2009-10-21 13:09 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-06 02:14 . 2009-11-06 02:14 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-04 22:31 . 2009-11-05 00:50 -------- d-----w- c:\program files\Silkroad
2009-11-04 18:38 . 2009-09-23 14:41 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-04 00:31 . 2009-11-04 00:31 -------- d-----w- c:\documents and settings\Kenny\Application Data\NeopleLauncherDFO
2009-10-22 02:34 . 2009-10-22 02:34 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\Ironclad Games
2009-10-22 02:29 . 2009-10-22 02:38 -------- d-----w- c:\documents and settings\Kenny\Application Data\Stardock
2009-10-22 02:28 . 2009-10-22 02:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}
2009-10-22 02:28 . 2009-06-04 20:05 2606568 -c--a-w- c:\documents and settings\All Users\Application Data\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}\Impulse_setup.exe
2009-10-22 02:27 . 2009-10-22 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-10-22 02:26 . 2009-11-09 01:27 -------- dc-h--w- c:\documents and settings\Kenny\Local Settings\Application Data\~0
2009-10-22 02:22 . 2009-10-22 02:22 -------- d-----w- c:\documents and settings\Kenny\Local Settings\Application Data\PackageAware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 02:04 . 2007-11-24 02:33 100880 -c--a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-20 01:36 . 2009-06-18 14:32 -------- d-----w- c:\program files\X-Change 3
2009-11-20 01:36 . 2007-04-23 12:18 -------- d-----w- c:\program files\xc2
2009-11-20 01:33 . 2007-02-04 04:31 737280 -c--a-w- c:\windows\iun6002.exe
2009-11-19 06:28 . 2008-12-10 09:34 -------- d-----w- c:\documents and settings\Kenny\Application Data\Xfire
2009-11-18 07:07 . 2008-12-10 09:34 -------- d-----w- c:\program files\Xfire
2009-11-17 22:08 . 2007-02-03 23:26 -------- d-----w- c:\program files\EA GAMES
2009-11-17 18:13 . 2007-01-16 18:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 12:19 . 2008-09-30 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-14 03:02 . 2008-11-01 18:46 0 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\prvlcl.dat
2009-11-13 17:52 . 2007-05-25 12:51 -------- d-----w- c:\program files\Winamp
2009-11-13 05:22 . 2007-06-21 12:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-12 08:19 . 2007-08-25 23:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-12 05:51 . 2007-01-28 03:20 -------- d-----w- c:\program files\LucasArts
2009-11-12 03:10 . 2009-08-20 10:57 -------- d-----w- c:\program files\World of Warcraft
2009-11-10 02:15 . 2007-01-16 18:16 -------- d-----w- c:\program files\ATI Technologies
2009-11-09 22:00 . 2009-09-17 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-09 21:59 . 2009-09-17 20:03 -------- d-----w- c:\program files\IGN
2009-11-09 21:59 . 2007-01-26 06:30 -------- d-----w- c:\documents and settings\Kenny\Application Data\IGN_DLM
2009-11-09 21:56 . 2007-01-16 18:20 -------- d-----w- c:\program files\Roxio
2009-11-09 21:56 . 2007-01-16 18:17 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-09 21:53 . 2007-11-24 02:33 -------- d--h--w- c:\documents and settings\Family\Application Data\Gtek
2009-11-09 21:53 . 2007-05-03 23:35 -------- d--h--w- c:\documents and settings\MCX1\Application Data\Gtek
2009-11-09 21:53 . 2007-01-18 04:05 -------- d--h--w- c:\documents and settings\Kenny\Application Data\Gtek
2009-11-09 21:53 . 2007-01-16 18:26 -------- d--h--w- c:\documents and settings\Administrator\Application Data\GTek
2009-11-09 21:53 . 2007-07-17 07:00 -------- d-----w- c:\program files\Doushin
2009-11-09 21:50 . 2007-01-16 18:19 -------- d-----w- c:\program files\Real
2009-11-09 21:50 . 2007-01-20 03:22 -------- d-----w- c:\program files\Rhapsody
2009-11-08 23:21 . 2007-03-25 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-04 00:11 . 2009-03-28 01:22 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-11-04 00:11 . 2009-03-28 01:22 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-11-04 00:11 . 2009-03-28 01:22 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-11-04 00:11 . 2009-03-28 01:22 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-11-04 00:11 . 2009-03-28 01:22 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-11-04 00:11 . 2009-03-28 01:22 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-11-03 23:42 . 2009-03-28 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-10-22 02:27 . 2007-07-03 01:51 -------- d-----w- c:\program files\Stardock
2009-10-18 13:09 . 2009-10-18 13:09 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-14 07:06 . 2007-01-16 18:25 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 16:36 . 2009-08-22 15:46 -------- d-----w- c:\program files\Warcraft III
2009-10-05 19:32 . 2009-10-03 00:40 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-10-03 00:58 . 2009-10-03 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Ubisoft
2009-10-03 00:57 . 2009-09-17 21:41 22328 ----a-w- c:\documents and settings\Kenny\Application Data\PnkBstrK.sys
2009-10-03 00:57 . 2009-09-17 21:41 22328 ----a-w- c:\documents and settings\Kenny\Application Data\PnkBstrK.sys
2009-10-03 00:57 . 2007-07-11 02:25 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 00:57 . 2007-07-11 02:24 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 00:57 . 2009-09-17 21:40 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-03 00:57 . 2007-07-11 02:24 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:42 . 2009-10-03 00:42 -------- d-----w- c:\program files\Ubisoft
2009-10-03 00:41 . 2008-12-29 04:17 -------- d-----w- c:\documents and settings\Kenny\Application Data\DAEMON Tools Lite
2009-10-03 00:40 . 2009-10-03 00:40 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-10-02 19:44 . 2008-01-08 06:13 -------- d-----w- c:\documents and settings\Kenny\Application Data\Free Download Manager
2009-10-02 19:15 . 2007-05-25 12:51 -------- d-----w- c:\documents and settings\Kenny\Application Data\Winamp
2009-10-01 13:58 . 2008-12-29 04:17 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-24 07:03 . 2009-09-24 07:03 -------- d-----w- c:\program files\Firaxis Games
2009-09-24 04:04 . 2009-09-24 03:50 -------- d-----w- c:\documents and settings\Kenny\Application Data\Ventrilo
2009-09-24 03:47 . 2009-09-24 03:47 -------- d-----w- c:\program files\Ventrilo
2009-09-24 03:46 . 2008-03-04 19:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-23 15:41 . 2009-09-23 15:41 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-09-23 04:25 . 2007-03-29 00:11 -------- d-----w- c:\program files\Electronic Arts
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:44 . 2009-11-10 00:51 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 02:52 . 2008-04-02 05:02 98304 -c--a-w- c:\windows\system32CmdLineExt.dll
2009-08-29 07:36 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:04 . 2009-08-25 22:04 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2007-05-03 23:46 . 2007-02-05 10:13 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-20_08.15.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-20 21:38 . 2009-11-20 21:38 16384 c:\windows\Temp\Perflib_Perfdata_794.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-16 98304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 12:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kenny^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Kenny\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"PnkBstrA"=2 (0x2)
"npkcmsvc"=2 (0x2)
"npggsvc"=3 (0x3)
"NMSAccessU"=2 (0x2)
"mnmsrvc"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"DNADownloader"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"PnkBstrB"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\PortableMudMaster\\MudMaster.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"17771:UDP"= 17771:UDP:Two Worlds
"58713:TCP"= 58713:TCP:Pando Media Booster
"58713:UDP"= 58713:UDP:Pando Media Booster
"59062:TCP"= 59062:TCP:Pando Media Booster
"59062:UDP"= 59062:UDP:Pando Media Booster
"58985:TCP"= 58985:TCP:Pando Media Booster
"58985:UDP"= 58985:UDP:Pando Media Booster
"58859:TCP"= 58859:TCP:Pando Media Booster
"58859:UDP"= 58859:UDP:Pando Media Booster

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/28/2008 11:17 PM 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/30/2008 12:22 AM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/30/2008 12:22 AM 297752]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\vgtyytk2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\vgtyytk2.default\extensions\CSLauncher@cyberstep.com\plugins\npCsLauncher.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Game Booster_is1 - c:\program files\IObit\Game Booster\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spnt.sys hal.dll >>UNKNOWN [0x86F86938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76b7f28
\Driver\ACPI -> ACPI.sys @ 0xf7431cb8
\Driver\iaStor -> iaStor.sys @ 0xf7356150
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf721dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf720ca0d
SendHandler -> NDIS.sys @ 0xf7220b40
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x4FC2 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x4FC2 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x8CBE != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x8F80 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0xD884 != 0xF7356150 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0xD9E4 != 0xF7356150 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167047611-3067674008-2036097901-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4f,32,ca,1e,d7,09,58,34,85,74,41,5d,06,e9,73,3f,a5,b8,50,dd,35,b6,0e,
96,8b,e7,a1,30,79,81,08,bd,94,8c,d8,e9,4c,7d,03,58,03,ee,0b,42,8e,1a,e3,4e,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-3167047611-3067674008-2036097901-1006\Software\SecuROM\License information*]
"datasecu"=hex:3b,08,4c,83,8c,d2,5a,87,19,b1,11,4e,85,30,77,85,34,46,3a,d6,c7,
20,3a,ad,e3,30,3a,61,bc,7a,1b,af,8d,1e,b0,c9,19,a8,d2,0e,1f,9c,e5,26,00,29,\
"rkeysecu"=hex:2d,50,a1,70,eb,32,e2,36,42,75,89,3a,8a,db,d6,0c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-11-20 16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 21:53
ComboFix2.txt 2009-11-20 08:25

Pre-Run: 89,153,347,584 bytes free
Post-Run: 89,109,282,816 bytes free

- - End Of File - - 4093DBD6C7747FFD6117F666792FFEF1

And this is the new DDS log

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kenny at 16:54:26.78 on Fri 11/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.536 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\vgtyytk2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\kenny\application data\mozilla\firefox\profiles\vgtyytk2.default\extensions\cslauncher@cyberstep.com\plugins\npCsLauncher.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 297752]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\gamespot\downloadmanager_win32.exe --> c:\program files\gamespot\DownloadManager_Win32.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-11-20 08:04:43 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-20 07:57:41 0 d-sha-r- C:\cmdcons
2009-11-20 07:46:08 98816 ----a-w- c:\windows\sed.exe
2009-11-20 07:46:08 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 07:46:08 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 07:46:08 161792 ----a-w- c:\windows\SWREG.exe
2009-11-16 12:11:12 0 d-----w- C:\found.003
2009-11-12 07:36:39 0 d-----w- c:\program files\Bethesda Softworks
2009-11-11 05:20:35 3252 ----a-w- c:\windows\system32\wbem\Outlook_01ca628eb28623c4.mof
2009-11-10 01:25:36 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-10 01:25:33 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-10 01:25:33 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-10 01:25:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-10 01:25:31 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-10 01:25:31 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-10 01:25:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-10 00:50:52 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-11-10 00:50:52 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-11-10 00:50:51 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-11-10 00:50:49 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-11-10 00:50:46 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-11-10 00:50:46 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-11-10 00:50:43 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-11-10 00:50:41 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-11-10 00:50:39 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-11-10 00:50:38 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-11-10 00:45:23 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-10 00:45:23 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-10 00:45:21 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-10 00:44:37 0 d-----w- c:\windows\system32\xlive
2009-11-10 00:44:36 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-09 01:39:34 0 d-----w- C:\GamepotUSA
2009-11-08 20:11:58 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\9c13920.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\17d08eb5.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\b533e7b.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\a3cb000.dll
2009-11-07 00:36:09 82432 ---h-tw- c:\windows\system32\dd9c188.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\6b49aca.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\3920f5f4.dll
2009-11-06 02:14:42 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-04 22:31:12 0 d-----w- c:\program files\Silkroad
2009-11-04 18:38:03 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-04 00:31:55 0 d-----w- c:\docume~1\kenny\applic~1\NeopleLauncherDFO
2009-10-22 02:29:41 0 d-----w- c:\docume~1\kenny\applic~1\Stardock
2009-10-22 02:28:08 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{6F7EF3E6-7F1B-4824-84CD-E8DF6F1B4168}
2009-10-22 02:27:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Stardock

==================== Find3M ====================

2009-11-20 01:33:55 737280 -c--a-w- c:\windows\iun6002.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-03 00:57:51 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 00:57:51 22328 ----a-w- c:\docume~1\kenny\applic~1\PnkBstrK.sys
2009-10-03 00:57:41 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 00:57:24 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:57:24 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-01 13:58:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-23 15:41:58 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-02 02:52:57 98304 -c--a-w- c:\windows\system32CmdLineExt.dll
2009-08-28 10:28:59 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 22:04:30 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2007-05-03 23:46:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-04 13:07:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat

============= FINISH: 16:54:31.89 ===============

Do you need the attach.txt log again?

km2357

2009-11-21, 19:53

Do you need the attach.txt log again?

No, I don't need to see it but I'll let you know if I do need to see it in the future. :)

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u17 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:

J2SE Runtime Environment 5.0 Update 6

Java(TM) 6 Update 13

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.

From your desktop double-click on the download to install the newest version.

Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post the MalwareBytes' Log in your next post/reply.

undeadwolf7

2009-11-21, 23:15

Malwarebytes' Anti-Malware 1.41
Database version: 3210
Windows 5.1.2600 Service Pack 3

11/21/2009 4:14:01 PM
mbam-log-2009-11-21 (16-14-01).txt

Scan type: Quick Scan
Objects scanned: 132460
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{c20ee2d6-81c3-6a08-79c5-1989da43bc19} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

km2357

2009-11-22, 07:09

Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?

undeadwolf7

2009-11-22, 18:40

Here is the Kapersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 22, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 22, 2009 10:01:41
Records in database: 3272434
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
G:\

Scan statistics:
Objects scanned: 190206
Threats found: 10
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 05:14:05

File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25E47852.exe Infected: not-a-virus:WebToolbar.Win32.Zango.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\506E142D.def Infected: not-a-virus:AdWare.Win32.180Solutions.ax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6DDC4F41 Infected: Backdoor.Win32.UltimateDefender.r 1
C:\Documents and Settings\Kenny\Application Data\Sun\Java\Deployment\cache\6.0\49\35217071-7ebd2a65 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll.vir Infected: not-a-virus:WebToolbar.Win32.Zango.bd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xa.tmp.vir Infected: Trojan.Win32.Vilsel.blk 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1173\A0183262.dll Infected: Trojan.Win32.FraudPack.toh 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1246\A0198567.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1246\A0198569.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1263\A0199034.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1263\A0199035.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1263\A0199037.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1263\A0199146.dll Infected: Trojan.Win32.Monder.cvau 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1273\A0201175.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1273\A0201176.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1287\A0203860.dll Infected: not-a-virus:WebToolbar.Win32.Zango.bd 1
G:\System Volume Information\_restore{5788E336-FDDB-40E2-9488-90BAA5C315C3}\RP361\A0072724.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
G:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1244\A0198368.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

Selected area has been scanned.

And this is the new dds log

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kenny at 11:34:55.64 on Sun 11/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.662 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070116
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8C292180-8BB2-495F-B94B-89FE9F2B530A} - hxxp://rfonline-full.gscdn.com/gscdn/ccr_downloader.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenny\applic~1\mozilla\firefox\profiles\vgtyytk2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\kenny\application data\mozilla\firefox\profiles\vgtyytk2.default\extensions\cslauncher@cyberstep.com\plugins\npCsLauncher.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-30 297752]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\gamespot\downloadmanager_win32.exe --> c:\program files\gamespot\DownloadManager_Win32.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-11-21 20:53:29 0 d-----w- c:\docume~1\kenny\applic~1\Malwarebytes
2009-11-21 20:53:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-21 20:53:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 20:53:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-21 20:53:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-21 20:48:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-20 08:04:43 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-20 07:57:41 0 d-sha-r- C:\cmdcons
2009-11-20 07:46:08 98816 ----a-w- c:\windows\sed.exe
2009-11-20 07:46:08 77312 ----a-w- c:\windows\MBR.exe
2009-11-20 07:46:08 260608 ----a-w- c:\windows\PEV.exe
2009-11-20 07:46:08 161792 ----a-w- c:\windows\SWREG.exe
2009-11-16 12:11:12 0 d-----w- C:\found.003
2009-11-12 07:36:39 0 d-----w- c:\program files\Bethesda Softworks
2009-11-11 05:20:35 3252 ----a-w- c:\windows\system32\wbem\Outlook_01ca628eb28623c4.mof
2009-11-10 01:25:36 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-10 01:25:33 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-10 01:25:33 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-10 01:25:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-11-10 01:25:31 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-10 01:25:31 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-11-10 01:25:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-10 00:50:52 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2009-11-10 00:50:52 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2009-11-10 00:50:51 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-11-10 00:50:49 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2009-11-10 00:50:46 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-11-10 00:50:46 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-11-10 00:50:43 3850760 ----a-w- c:\windows\system32\D3DX9_38.dll
2009-11-10 00:50:41 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-11-10 00:50:39 238088 ----a-w- c:\windows\system32\xactengine3_0.dll
2009-11-10 00:50:38 25608 ----a-w- c:\windows\system32\X3DAudio1_3.dll
2009-11-10 00:45:23 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-10 00:45:23 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-10 00:45:21 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-10 00:44:37 0 d-----w- c:\windows\system32\xlive
2009-11-10 00:44:36 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-09 01:39:34 0 d-----w- C:\GamepotUSA
2009-11-08 20:11:58 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\9c13920.dll
2009-11-08 09:35:56 82432 ---h-tw- c:\windows\system32\17d08eb5.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\b533e7b.dll
2009-11-08 09:25:51 82432 ---h-tw- c:\windows\system32\a3cb000.dll
2009-11-07 00:36:09 82432 ---h-tw- c:\windows\system32\dd9c188.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\6b49aca.dll
2009-11-07 00:34:53 82432 ---h-tw- c:\windows\system32\3920f5f4.dll
2009-11-06 02:14:42 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-11-04 22:31:12 0 d-----w- c:\program files\Silkroad
2009-11-04 18:38:03 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-11-04 00:31:55 0 d-----w- c:\docume~1\kenny\applic~1\NeopleLauncherDFO

==================== Find3M ====================

2009-11-21 20:48:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-20 01:33:55 737280 -c--a-w- c:\windows\iun6002.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-03 00:57:51 22328 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 00:57:51 22328 ----a-w- c:\docume~1\kenny\applic~1\PnkBstrK.sys
2009-10-03 00:57:41 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 00:57:24 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:57:24 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-01 13:58:07 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-09-02 02:52:57 98304 -c--a-w- c:\windows\system32CmdLineExt.dll
2009-08-28 10:28:59 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 22:04:30 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2007-05-03 23:46:05 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-04 13:07:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110420081105\index.dat

============= FINISH: 11:36:47.34 ===============

overall it seems to be running better however i have noticed that my firefox is no longer able to access this website

km2357

2009-11-22, 23:54

Kaspersky found files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show how to remove those and ComboFix in an upcoming post. Kaspersky also found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set a new, clean one in an upcoming post.

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.

Be sure to re-hide your files once you are finished cleaning your computer.
I'd like for you to delete the contents of the following folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Step # 1 Clear Java's Cache

Click Start > Control Panel

Double-click the Java icon in the control panel. (coffeecup icon)
Click Settings under Temporary Internet Files.

-The Temporary Files Settings dialog box appears.

Click Delete Files.

-The Delete Temporary Files dialog box appears.
-There are three options on this window to clear the cache.

Delete Files
View Applications
View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics here (http://www.java.com/en/download/help/5000020300.xml)

As for Firefox, what does it say on the screen when you try to visit here? Does Firefox have any troubles going to other websites? You can try updating Firefox to see if that fixes it. Or you can try uninstalling and then reinstalling Firefox to see if that does it.

undeadwolf7

2009-11-23, 04:49

I deleted the folder you request and cleared the Java Cache

Firefox gives me this error when trying to get to this site

Firefox can't find the file at http://www.safer-networking.org/en/home/index.html.

I can go to other sites with it fine so far but i'll uninstall and reinstall it just to see if that will fix it

km2357

2009-11-23, 08:35

If uninstalling and reinstalling doesn't work, try this:

First disable all of your addons (Start up Firefox, then click on Tools-->Addons) and once they've all been disabled, see if you can go to Safer Networking with Firefox. If you can then the problem is with one of your addons.

To figure out which one it is, start enabling them one at a time and then test to see if you can still visit Safer Networking. As soon as you enable the addon that stops you from visiting Safer Networking, then disable/uninstall that addon.

undeadwolf7

2009-11-23, 10:38

ok i've disabled all the plug-ins and add-ons for fire fox also tried an uninstall and reinstall but neither worked.. should I try to uninstall and delete the personal settings for it? I didn't do that last time but it just suddenly stopped being able to go to this site

km2357

2009-11-23, 22:11

Before you delete the personal settings/profile in Firefox, try creating a new profile first.

If you can visit Safer Networking with the new profile, then you know that the old profile got corrupted and you'll need to remove it and use the new one.

Here's a link explaining how to create a new Firefox profile:

http://support.mozilla.com/en-US/kb/Managing+profiles

undeadwolf7

2009-11-24, 03:17

Alright that worked i'm able to view the page again on firefox

thanks I had a question though i just realized that I no longer of game booster installed on my computer but i didn't remove it myself i was wondering if one of the scans/fixes i ran removed it and was wondering if the program itself was generally bad to use or that that copy was infected

km2357

2009-11-24, 08:13

Alright that worked i'm able to view the page again on firefox

:bigthumb:

thanks I had a question though i just realized that I no longer of game booster installed on my computer but i didn't remove it myself i was wondering if one of the scans/fixes i ran removed it and was wondering if the program itself was generally bad to use or that that copy was infected

The company that makes gamebooster, IOBit has come under fire recently in the malware removal/computer security community for their recent actions concerning MalwareBytes' and their Anti-Malware database.

You can read more about it at the following links:

IOBit Steals Malwarebytes' Intellectual Property (http://www.malwarebytes.org/forums/index.php?showtopic=29681)
IOBit’s Denial of Theft Unconvincing (http://www.malwarebytes.org/forums/index.php?showtopic=30989)

After reading those links, I'll leave it up to you if want any products installed by IOBit on your computer. If you do (and that's your choice), you can go ahead and reinstall GameBooster. Though please note if you need help again in the future, it may be removed again by another helper.

If there are no more problems, you are good to go. :)

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK

Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

undeadwolf7

2009-11-24, 23:38

Thank you for all the help the only question i have left is earlier you mentioned deleting some infected or corrupted restore points? how do i go about doing that?

km2357

2009-11-25, 06:06

Thank you for all the help the only question i have left is earlier you mentioned deleting some infected or corrupted restore points? how do i go about doing that?

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..