PDA

View Full Version : Malware Issue



rustygun01
2010-11-12, 00:16
I'd like to thank the people in these forums as they are a great help and their help is much appreciated.

To start, I opened a thread in the wrong area without reading what I was suppose to read and I appoligize. Here's the link:
http://forums.spybot.info/showthread.php?t=60375

On a side note, I did not run combofix nor could I. I also couldn't attach the Attach file as a .rar and I'm not experienced enough to figure out why I can't zip it...

DDS (Ver_10-11-10.01) - NTFSx86
Run by rusty at 17:04:50.67 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1942 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Users\rusty\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\rusty\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TCP: NameServer = 93.188.164.128,93.188.160.208
TCP: {979D4F56-CD33-4913-823C-4FFDC412C0AF} = 93.188.164.128,93.188.160.208
TCP: {D1B63795-7986-47A5-961C-D7B144828249} = 93.188.164.128,93.188.160.208
mASetup: {V670L004-RPP3-12V8-16X0-R5Y0A86REOES} - c:\users\rusty\appdata\roaming\server\server.exe Restart
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-11 20:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-11 20:53:30 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-11 20:53:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 20:53:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-07 20:55:04 -------- d-----w- c:\progra~2\SmartSound Software Inc
2010-11-07 20:55:03 -------- d-----w- c:\program files\SmartSound Software
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts
2010-11-02 05:51:01 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1a5465b8-ff88-4bd9-acd8-42e36f680278}\mpengine.dll
2010-10-31 23:20:11 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39:45 -------- d-----w- c:\users\rusty\appdata\roaming\.minecraft
2010-10-26 18:26:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 18:26:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 18:26:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85A0EEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86184872; SUB DWORD [EBP-0x4], 0x8618412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82296962] -> \Device\Harddisk0\DR0[0x85BBF620]
3 CLASSPNP[0x8B5A88B3] -> ntkrnlpa!IofCallDriver[0x82296962] -> [0x85AFA658]
5 acpi[0x807396BC] -> ntkrnlpa!IofCallDriver[0x82296962] -> [0x85ADF5E0]
[0x868354F8] -> IRP_MJ_CREATE -> 0x85A0EEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85A0EAEA
\Driver\atapi -> 0x858e21f8
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:06:15.87 ===============

Jack&Jill
2010-11-18, 07:14
Hello rustygun01 :),

Sorry for the delay.

If you still need help, please delete the DDS file that you have and download a fresh copy from one of the links below. Please post new DDS logs.

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
Link 3 (http://www.infospyware.net/sUBs/dds)

Otherwise, this topic will be closed after 3 days.

rustygun01
2010-11-19, 08:05
No worries Jack&Jill. I appreciate the help and time wasn't a concern for me.

Here's the updated DDS file:


DDS (Ver_10-11-10.01) - NTFSx86
Run by rusty at 0:52:46.09 on Fri 11/19/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2156 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\taskeng.exe
C:\Users\rusty\Downloads\dds(2).scr
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
StartupFolder: c:\users\rusty\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TCP: NameServer = 93.188.164.128,93.188.160.208
TCP: {979D4F56-CD33-4913-823C-4FFDC412C0AF} = 93.188.164.128,93.188.160.208
TCP: {D1B63795-7986-47A5-961C-D7B144828249} = 93.188.164.128,93.188.160.208
mASetup: {V670L004-RPP3-12V8-16X0-R5Y0A86REOES} - c:\users\rusty\appdata\roaming\server\server.exe Restart
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-11 20:53:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-11 20:53:30 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-11 20:53:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 20:53:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-07 20:55:04 -------- d-----w- c:\progra~2\SmartSound Software Inc
2010-11-07 20:55:03 -------- d-----w- c:\program files\SmartSound Software
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts
2010-11-02 05:51:01 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1a5465b8-ff88-4bd9-acd8-42e36f680278}\mpengine.dll
2010-10-31 23:20:11 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39:45 -------- d-----w- c:\users\rusty\appdata\roaming\.minecraft
2010-10-26 18:26:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 18:26:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 18:26:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85A0DEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86184872; SUB DWORD [EBP-0x4], 0x8618412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x8227A962] -> \Device\Harddisk0\DR0[0x85BBF360]
3 CLASSPNP[0x8B7A68B3] -> ntkrnlpa!IofCallDriver[0x8227A962] -> [0x85AF5918]
5 acpi[0x8AF3F6BC] -> ntkrnlpa!IofCallDriver[0x8227A962] -> [0x85AE9030]
[0x86854A00] -> IRP_MJ_CREATE -> 0x85A0DEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85A0DAEA
\Driver\atapi -> 0x858e21f8
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:58:31.76 ===============

Jack&Jill
2010-11-20, 17:36
Hello rustygun01 :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

What do you use the computer for?

--------------------

Remove P2P software

IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
LimeWire PRO 5.4.6


Please read the Guidelines for P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.
Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above (in red).
Please remove them before we continue with fixing your computer.

--------------------

I see that you have some programs that are not recommended or not safe on board your computer. You may uninstall them through Add/Remove Programs at the Control Panel.

PunkBuster

PunkBuster is a gaming tool that uses spyware techniques and can take over your computer. It is not likely that your computer could be cleaned without breaking or removing it, and this would result in not being able to play the associated games or worse.

Since PunkBuster is malware/spyware by our definition, you will need to choose one of the following:
1. Leave PunkBuster alone and continue cleaning malware, but understand that there is no assurance you will be able to do games afterwards.
2. Remove PunkBuster and continue cleaning.
3. Leave PunkBuster alone and stop cleaning.

See here (http://en.wikipedia.org/wiki/PunkBuster) for more information.

If you choose to uninstall PunkBuster
Please download the PBSVC setup program and save it to your desktop. Click here. (http://www.evenbalance.com/downloads/pbsvc/pbsvc.exe)
Double click on pbsvc.exe and click Uninstall.
Open Windows Explorer and navigate to C:\windows\system32\drivers.
Find files with PnkBstr in the name and delete them.
Repeat delete files step in folder C:\windows\system32.

--------------------

Validate Windows

Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here. (http://go.microsoft.com/fwlink/?linkid=52012)
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Check for additional security risks

Please download CKScanner© by askey127 and save to your desktop. Click here. (http://downloads.malwareremoval.com/CKScanner.exe)
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.

--------------------

Please post back:
1. the answer to my question about your computer
2. MGADiag result
3. CKScanner log
4. new DDS log (Attach.txt only)

rustygun01
2010-11-21, 10:08
Thanks again Jack&Jill. To start off, I ended up getting MGAD from MegaUpload.com because the link you gave me wasn't working for me. Anyways, I hope that I answer all of your questions thoroughly.

1. What do I use my computer for?
I use my computer to do online school work, to play video games, and watch animes. In short, I use my computer for school and entertainment.

2. MGADDiag Result
Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: 0x0
Cached Validation Code: 0x0
Windows Product Key: *****-*****-44V4P-2GQFR-MFQDR
Windows Product Key Hash: y0/thimbRcU8fUGzOd0S+qX2wUw=
Windows Product ID: 89578-OEM-7359623-29556
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.0.6002.2.00010300.2.0.003
CSVLK Server: N/A
CSVLK PID: N/A
ID: {5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.100608-0458
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-282-80041010_025D1FF3-170-80041010_025D1FF3-171-1_025D1FF3-434-80040154_025D1FF3-178-80040154_025D1FF3-179-2_025D1FF3-185-80070002_025D1FF3-199-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}</UGUID><Version>1.7.0069.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MFQDR</PKey><PID>89578-OEM-7359623-29556</PID><PIDType>3</PIDType><SID>S-1-5-21-2005747108-265105218-770747461</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1101 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081226000000.000000+000</Date></BIOS><HWID>3F333507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65321</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

3. CKScanner Log
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\alaplaya\loco\animations\devilcrack.ukx
c:\program files\alaplaya\loco\animations\naturecrack.ukx
c:\program files\alaplaya\loco\animations\set1devilpropcrack.ukx
c:\program files\alaplaya\loco\animations\set1naturepropcrack.ukx
c:\program files\alaplaya\loco\animations\set1otherpropcrack.ukx
c:\program files\alaplaya\loco\animations\set2otherpropcrack.ukx
c:\program files\bethesda softworks\morrowind\data files\icons\i_pf_crackhammer.tga
c:\program files\bethesda softworks\morrowind\data files\meshes\weapons\pf_crackhammer.nif
c:\program files\bethesda softworks\morrowind\data files\textures\pf_crackhammer.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_crackedplaster00.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth01.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth03.dds
hosts 127.0.0.1 practivate.adobe.com
scanner sequence 3.ZZ.11
----- EOF -----

4. New DDS Log (attach only)
Attached!

Jack&Jill
2010-11-21, 18:36
Hello rustygun01 :),


To start off, I ended up getting MGAD from MegaUpload.com because the link you gave me wasn't working for me. The site is not reliable, which also means the MGADiag you got from that location is also not reliable. Check here (http://siteadvisor.us/sites/megaupload.com/summary/). It is outdated as well. In fact, megaupload has the characteristics of P2P, only in other forms. I suggest you to stay clear from it and also uninstall Mega Manager that is related to it. We will come the the MGADiag later after we get you to address a few things.

--------------------

Cracks / Keygens / Warez / Illegal softwares detected!!!

Your log indicates the presence and usage of one or more of the above. Very likely your computer got infected due to the illegal softwares or the illegitimate websites you visited to get them.

Please read the fourth post of the Forum Rules (http://forums.spybot.info/showthread.php?t=288) .

Note:
We do not support the use of illegal Pirated/Warez/Cracked software.

If seeking help in our Malware removal forum please know that users who have programs obtained by such methods will be asked to remove them, since our help could otherwise be seen as aiding copyright violations. Aside from the legalities be aware malware authors prey on users looking to circumvent a software's protection mechanisms. There is a high risk of infection involved in downloading and running crack codes.

If you still want help, please remove the illegal items from your computer, and if you still need the softwares, get legal ones from legitimate sources.
If you advised that the illegal softwares have been removed and I find it otherwise (the tools we use can and will detect them), then I will have no choice but to have this topic closed.
If there are more such new findings after this, the topic will also be closed.

Please remove/uninstall the following before we continue:
All your Adobe CS4 programs and the other crack programs you tried to hide.

Please post a new CKScanner log.

rustygun01
2010-11-22, 02:40
Alrighty. I read through the rules and removed pretty much anything that would hinder you from helping me. I may or may not have missed a few files here or there, but nothing from what I can see/find goes against the rules this time. Sorry about that.

I re-did the ckscanner and ran a new DDS Attach for you.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\alaplaya\loco\animations\devilcrack.ukx
c:\program files\alaplaya\loco\animations\naturecrack.ukx
c:\program files\alaplaya\loco\animations\set1devilpropcrack.ukx
c:\program files\alaplaya\loco\animations\set1naturepropcrack.ukx
c:\program files\alaplaya\loco\animations\set1otherpropcrack.ukx
c:\program files\alaplaya\loco\animations\set2otherpropcrack.ukx
c:\program files\bethesda softworks\morrowind\data files\icons\i_pf_crackhammer.tga
c:\program files\bethesda softworks\morrowind\data files\meshes\weapons\pf_crackhammer.nif
c:\program files\bethesda softworks\morrowind\data files\textures\pf_crackhammer.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_crackedplaster00.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth01.dds
c:\program files\bethesda softworks\morrowind\data files\textures\tx_ma_crackedearth03.dds
hosts 127.0.0.1 practivate.adobe.com
scanner sequence 3.JD.11
----- EOF -----

Also, I took your tip and uninstalled Mega Manager. My computer actually got infected when I was getting an add-on for Minecraft, a computer game. I can't remember the site, but I was looking for an application to help map a world and ended up getting infected. I wasn't very intelligent to download it without scanning the file.

Also, as a side note, I did get rid of Adobe Creative Suite 4, but it keeps saying that it can't uninstall 1 part of Adobe because it's in use. I'm uncertain to what it is, but it isn't an application so I'm assuming it's a service that is being used. Because of that one section that can't be uninstalled, it won't remove itself from my Programs and Features. I am looking into it and I'll post back as soon as I figure out how to remove it completely.

Jack&Jill
2010-11-22, 15:23
Hello rustygun01 :),

Thank you for removing all the illegal items. Have you tried uninstalling the balance Adobe CS4 programs as soon as after a new start up of the computer?

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Lets make way for MGADiag so that you can download and run it.

Clear TCP

Open Notepad. Copy and paste the following text into it:

@echo off
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{979D4F56-CD33-4913-823C-4FFDC412C0AF}" /v "NameServer" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1B63795-7986-47A5-961C-D7B144828249}" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{979D4F56-CD33-4913-823C-4FFDC412C0AF}" /v "NameServer" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1B63795-7986-47A5-961C-D7B144828249}" /v "NameServer" /f
ipconfig /flushdns
del %0
Save it as ClearTCP.bat on the desktop. Make sure the Save as type: is All Files (*.*).
Double click on ClearTCP.bat to run it. Allow if prompted by any security software.

Please reboot you computer.

--------------------

Validate Windows

Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here. (http://go.microsoft.com/fwlink/?linkid=52012)
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Please close all programs and do not run any others before and during the GMER scan. Do not use the computer for anything else until after the scan is completed.

Please download GMER and save it to your desktop. Click here. (http://www.gmer.net/download.php)

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running GMER. They may cause the computer to freeze.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the .exe file. If asked to allow the gmer driver file with a sys extension to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan, click on No.
In the right panel, you will see several boxes that have been checked (ticked).
Uncheck IAT/EAT
Uncheck All other Drives/Partitions except C:\ (leave C:\ checked)
Uncheck Show All (don't miss this one)
Then click the Scan button and wait for it to finish.
Once done, click on the Save... button and save it as "Gmer.txt" at a convenient location. Post the contents of that report.
Enable back your security softwares as soon as you completed the GMER steps.
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

If you are having problems running this version of GMER, please try running GMER in Safe Mode. You can get into Safe Mode using the F8 key during the startup of your computer after a reboot.

--------------------

Please post back:
1. the answer to my question about Adobe CS4
2. MGADiag result
3. GMER log

rustygun01
2010-11-22, 20:28
I've actually tried that and running it in safe mode to uninstall it and I keep getting the same error message when uninstalling. When I googled the problem, all that came up was problems installing that specific part of the suite. I have no programs that start up at start-up so I'm strongly thinking that it's a service and I don't mess with those enough to know which one is causing the problem.

I didn't have any problems opening the link this time, thank you. I ran the MGADiag without any problems as well. It's in the zip that's attached. On a side note for Gmer, the first time I ran it my computer shutdown. I wasn't watching so I don't know what happened, but it worked fine the second time I ran it. The Gmer log is also in the zip that's attached.


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-44V4P-2GQFR-MFQDR
Windows Product Key Hash: y0/thimbRcU8fUGzOd0S+qX2wUw=
Windows Product ID: 89578-OEM-7359623-29556
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.100608-0458
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5CF86BA6-CC28-474F-B89A-5CFF06FD47CC}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MFQDR</PKey><PID>89578-OEM-7359623-29556</PID><PIDType>3</PIDType><SID>S-1-5-21-2005747108-265105218-770747461</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1101 </Version><SMBIOSVersion major="2" minor="5"/><Date>20081226000000.000000+000</Date></BIOS><HWID>3F333507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>US Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65321</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6002.18005
Name: Windows(TM) Vista, HomePremium edition
Description: Windows Operating System - Vista, OEM_COA_NSLP channel
Activation ID: f3acdd3c-119a-4932-a3d7-0b6f33a1dca9
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00146-596-229556-02-1033-6000.0000-0902009
Installation ID: 012201058245321803361291947703482931519804947025796543
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: MFQDR
License Status: Licensed

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: OgAAAAEABAABAAEAAwABAAAAAwABAAEA6GGCe8CEMNoCG1TyEDNkXxbQje/y9J4vWOc/GCjhrFaonA==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC 122608 APIC1458
FACP 122608 FACP1458
HPET 122608 OEMHPET
MCFG 122608 OEMMCFG
OEMB 122608 OEMB1458
SSDT A M I POWERNOW


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-22 13:20:03
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDP725050GLA360 rev.GM4OA5CA
Running: s6j75x23.exe; Driver: C:\Users\rusty\AppData\Local\Temp\fglcrpow.sys


---- System - GMER 1.0.15 ----

INT 0x52 ? 85B0BF00
INT 0x62 ? 85B0BF00
INT 0x71 ? 84B21BF8
INT 0x72 ? 85B0BF00
INT 0x72 ? 85B0BF00
INT 0x72 ? 85B0BF00
INT 0x81 ? 84B21BF8
INT 0x91 ? 84B21BF8
INT 0xA1 ? 85B0BF00
INT 0xA1 ? 85B0BF00
INT 0xA1 ? 85B0BF00

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spxh.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\DRIVERS\AtiPcie.sys entry point in ".rsrc" section [0x8B5C1014]
.text USBPORT.SYS!DllUnload 93F9C41B 5 Bytes JMP 85B0B4E0
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9FE0F300, 0x3AF78, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9FE56300, 0x1BCE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 858E31F8
Device \Driver\volmgr \Device\VolMgrControl 84B231F8
Device \Driver\usbohci \Device\USBPDO-0 868E61F8
Device \Driver\usbohci \Device\USBPDO-1 868E61F8
Device \Driver\usbehci \Device\USBPDO-2 8684A1F8
Device \Driver\usbohci \Device\USBPDO-3 868E61F8
Device \Driver\usbohci \Device\USBPDO-4 868E61F8
Device \Driver\usbehci \Device\USBPDO-5 8684A1F8
Device \Driver\usbohci \Device\USBPDO-6 868E61F8
Device \Driver\volmgr \Device\HarddiskVolume1 84B231F8
Device \Driver\cdrom \Device\CdRom0 8684C1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84B231F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-2 85A0EAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort0 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort1 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort2 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85A0EAEA
Device \Driver\atapi \Device\Ide\IdePort3 858E21F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-5 85A0EAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-5 858E21F8
Device \Driver\volmgr \Device\HarddiskVolume3 84B231F8
Device \Driver\USBSTOR \Device\00000073 875D61F8
Device \Driver\USBSTOR \Device\00000074 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume4 84B231F8
Device \Driver\USBSTOR \Device\00000075 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume5 84B231F8
Device \Driver\USBSTOR \Device\00000076 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume6 84B231F8
Device \Driver\USBSTOR \Device\00000069 875D61F8
Device \Driver\USBSTOR \Device\00000077 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume7 84B231F8
Device \Driver\netbt \Device\NetBt_Wins_Export 87504500
Device \Driver\USBSTOR \Device\00000078 875D61F8
Device \Driver\volmgr \Device\HarddiskVolume8 84B231F8
Device \Driver\Smb \Device\NetbiosSmb 875011F8
Device \Driver\BTHUSB \Device\00000079 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\iScsiPrt \Device\RaidPort0 868E81F8
Device \Driver\USBSTOR \Device\0000006c 875D61F8
Device \Driver\usbohci \Device\USBFDO-0 868E61F8
Device \Driver\netbt \Device\NetBT_Tcpip_{D1B63795-7986-47A5-961C-D7B144828249} 87504500
Device \Driver\usbohci \Device\USBFDO-1 868E61F8
Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBFDO-2 8684A1F8
Device \Driver\usbohci \Device\USBFDO-3 868E61F8
Device \Driver\usbohci \Device\USBFDO-4 868E61F8
Device \Driver\usbehci \Device\USBFDO-5 8684A1F8
Device \Driver\usbohci \Device\USBFDO-6 868E61F8
Device \Driver\netbt \Device\NetBT_Tcpip_{979D4F56-CD33-4913-823C-4FFDC412C0AF} 87504500
Device \FileSystem\cdfs \Cdfs 881E01F8
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616fb497 0x65 0xD8 0x89 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616ff0a2 0xC3 0x93 0x0F 0x82 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFE 0x42 0x71 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0xCA 0x0A 0x8F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x38 0x34 0x28 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xF8 0x3C 0xF1 0x51 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xCE 0xDD 0xE7 0x81 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x25 0x52 0x59 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616fb497 0x65 0xD8 0x89 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc0fcd6c@0007616ff0a2 0xC3 0x93 0x0F 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFE 0x42 0x71 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0xCA 0x0A 0x8F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x38 0x34 0x28 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xF8 0x3C 0xF1 0x51 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0xCE 0xDD 0xE7 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x25 0x52 0x59 0x1E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 976772912 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\AtiPcie.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Jack&Jill
2010-11-23, 02:59
Hello rustygun01 :),

You might want to try Revo Uninstaller (http://www.revouninstaller.com/start_freeware_download.html) to see if you can uninstall the remaining Adobe CS4.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Disable CD Emulation drivers

Please download DeFogger© by jpshortstuff and save it to your desktop. Click here. (http://www.jpshortstuff.247fixes.com/Defogger.exe)
Double click on DeFogger.exe to run the tool.
The application window will appear.
Click the Disable button to disable your CD Emulation drivers.
Click Yes to continue.
A Finished! message will appear, then click OK.
DeFogger will now ask to reboot the machine, click OK.
DO NOT re-enable these drivers until otherwise instructed.

If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

--------------------

Please download ComboFix© by sUBs from one of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/sUBs/ComboFix.exe)

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Run ComboFix

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on ComboFix.exe and follow the prompts.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) if you need help.

--------------------

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast (http://www.avast.com/eng/download-avast-home.html)
Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)

Please keep only one AV installed.

--------------------

Please post back:
1. the ComboFix log

rustygun01
2010-11-23, 09:57
Revo Uninstaller did end up removing the program and I thank you for that. CD emulation was turned off and the computer was restarted. Here's where a problem occurred, I couldn't run combofix. It does the same thing when I try to install anti-malaware programs and such. It also does the same thing when I try to run Spybot Search & Destroy.

Jack&Jill
2010-11-23, 11:37
Hello rustygun01 :),

Please delete the copy of ComboFix that you have and download a fresh copy. Save it as RGCF.exe to the desktop. See if it runs.

rustygun01
2010-11-23, 20:26
Well renaming the new copy of Combofix worked, but right after loading up the program my computer blue screened. I tried it once again after it restarted and the result ended up the same as the first time.

Jack&Jill
2010-11-24, 02:11
Hello rustygun01 :),

I need more details of what happened. Any error message when it blue screened? What was ComboFix doing or which stage was reached just before the blue screen occurred? Have a look at the ComboFix tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) so that you can provide a clear description.

At the same time, please post a new DDS log (DDS.txt only).

rustygun01
2010-11-24, 19:12
Well I double-click combofix (or right-click:run as administrator) and then click run. A little gray bar pops up with a blue bar filling up from left to right. It has ComboFix above the bar. Before that bar fills completely it stops and then it blue screens, and it's not even a normal blue screen. It blue screens like normal but half of the time it'll instantly restart (restart before I can even read one word.)

DDS (Ver_10-11-10.01) - NTFSx86
Run by rusty at 12:04:48.55 on Wed 11/24/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2288 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Users\rusty\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
mASetup: {V670L004-RPP3-12V8-16X0-R5Y0A86REOES} - c:\users\rusty\appdata\roaming\server\server.exe Restart
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-23 07:39:01 -------- d-----w- c:\program files\VS Revo Group
2010-11-23 07:27:08 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{90c8dcc6-4440-4a26-bf44-145906f5d6dc}\mpengine.dll
2010-11-22 17:26:44 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-22 17:23:28 -------- d-----w- C:\MGADiagToolOutput
2010-11-21 20:46:58 -------- d-----w- C:\AdobeTemp
2010-11-11 20:53:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts
2010-10-31 23:20:11 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39:45 -------- d-----w- c:\users\rusty\appdata\roaming\.minecraft
2010-10-26 18:26:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 18:26:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 18:26:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 06:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 06:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5CA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85582EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86184872; SUB DWORD [EBP-0x4], 0x8618412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x82255962] -> \Device\Harddisk0\DR0[0x85634030]
3 CLASSPNP[0x8AF9F8B3] -> ntkrnlpa!IofCallDriver[0x82255962] -> [0x85634898]
5 acpi[0x806106BC] -> ntkrnlpa!IofCallDriver[0x82255962] -> [0x8561A030]
[0x862FC6E0] -> IRP_MJ_CREATE -> 0x85582EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA5CA#5&2e153c89&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85582AEA
user & kernel MBR OK
sectors 976773166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:07:25.56 ===============

Jack&Jill
2010-11-25, 05:19
Hello rustygun01 :),

We need to disable Windows Defender real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.
Go to Start > All Programs > Windows Defender.
Click on Tools at the top.
Under Settings, click on Options.
Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
Under Real-time protection options, uncheck Use real-time protection (recommended) box. Scroll down if you do not see it.
Click on the Save button at the bottom right hand corner and close the window.
Remember to enable it after the fix.

Now, move the ComboFix file to the root of the drive, C:\, then try running it again.

If it is still not working, we should try running it in Safe Mode.

Restart in Safe Mode

Reboot your computer and tap on the F8 key repeatedly during startup.
A menu will appear. Select to start Windows in Safe Mode by using the arrow keys. Click here for tutorial on how to boot up in Safe Mode if you need help. (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61)

Let me know which step works for you.

rustygun01
2010-11-26, 04:29
Alrighty, worked that time. Sorry I didn't pay attention there. It worked without safe-mode by the way.


ComboFix 10-11-22.05 - rusty 11/25/2010 20:54:44.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2177 [GMT -5:00]
Running from: C:\RGCF.exe.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\rusty\AppData\Roaming\Microsoft\Windows\Recent\Registration.url
c:\users\rusty\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\server.log

Infected copy of c:\windows\system32\DRIVERS\AtiPcie.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-26 02:05 . 2010-11-26 02:06 -------- d-----w- c:\users\rusty\AppData\Local\temp
2010-11-26 02:05 . 2010-11-26 02:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-11-26 02:05 . 2010-11-26 02:05 -------- d-----w- c:\users\Marijan\AppData\Local\temp
2010-11-26 02:05 . 2010-11-26 02:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-26 01:49 . 2008-04-28 13:26 14352 ----a-w- c:\windows\system32\drivers\AtiPcie.sys
2010-11-24 21:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 07:39 . 2010-11-23 07:39 -------- d-----w- c:\program files\VS Revo Group
2010-11-23 07:27 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{90C8DCC6-4440-4A26-BF44-145906F5D6DC}\mpengine.dll
2010-11-22 17:26 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-22 17:23 . 2010-11-22 17:23 -------- d-----w- C:\MGADiagToolOutput
2010-11-21 20:46 . 2010-11-21 20:48 -------- d-----w- C:\AdobeTemp
2010-11-11 20:53 . 2010-11-21 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38 . 2010-11-11 21:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46 . 2010-11-08 12:46 -------- d-----w- c:\programdata\Alwil Software
2010-11-07 21:40 . 2010-11-07 21:41 -------- d-----w- c:\users\Public\CyberLink
2010-11-07 21:19 . 2010-11-07 21:20 -------- d-----w- c:\users\rusty\AppData\Roaming\CyberLink
2010-11-07 21:12 . 2010-11-07 21:12 -------- d-----w- c:\programdata\CyberLink
2010-11-06 21:40 . 2010-11-06 22:19 -------- d-----w- c:\programdata\Tunngle
2010-11-06 21:40 . 2009-09-16 12:02 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30 . 2010-11-06 01:30 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41 . 2010-11-02 14:41 -------- d-----w- c:\users\rusty\AppData\Local\Minecraft_Tools_Team
2010-11-02 14:38 . 2010-11-02 14:38 -------- d-----w- c:\users\rusty\AppData\Roaming\mts
2010-10-31 23:20 . 2010-10-31 23:21 -------- d-----w- c:\windows\system32\world
2010-10-27 23:39 . 2010-11-12 07:35 -------- d-----w- c:\users\rusty\AppData\Roaming\.minecraft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 17:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 06:36 . 2010-10-14 06:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 06:36 . 2010-10-14 06:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-09-23 00:10 . 2009-04-01 21:04 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
2010-09-22 22:46 . 2010-09-22 22:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-13 13:56 . 2010-10-14 01:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-13 05:05 . 2010-09-13 03:04 2037862856 ----a-w- c:\users\Public\VindictusCBSetupV002.exe
2010-09-08 06:01 . 2010-10-14 01:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 01:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 01:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 01:57 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 01:57 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 01:57 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 01:57 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 01:57 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 01:57 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 01:57 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 01:57 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 01:57 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 01:57 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 01:57 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 01:57 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 01:57 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 01:57 2038272 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKCttq]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSmnmN]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\CCleaner.exe]
path=CCleaner.exe
backup=c:\windows\pss\CCleaner.exe.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnefakip
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2009-10-28 03:40 257440 ----a-w- c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-08-26 03:18 16986112 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 22:11 565008 ----a-w- c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 22:15 2407184 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 20:37 13939816 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 20:37 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-09-16 01:47 2969496 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-16 20:47 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

R1 szwcndgc;szwcndgc;c:\windows\system32\drivers\szwcndgc.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-25 716272]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-07-25 870400]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-klmdb.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-rfagent - c:\program files\RFA\rfagent32.exe
MSConfigStartUp-Windows System Spooler - c:\windows\system\smsg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-25 21:09
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2005747108-265105218-770747461-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ad,0a,cb,11,7d,d5,61,05,c0,bb,af,e0,78,2f,dd,01,60,75,72,29,30,8c,d5,
10,2b,7c,b1,7d,2f,66,a7,54,95,e7,33,8f,24,df,db,e3,9b,68,88,6e,9f,16,f7,5a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-2005747108-265105218-770747461-1000\Software\SecuROM\License information*]
"datasecu"=hex:90,33,0e,4a,14,04,4b,f2,b1,c2,d9,61,aa,f3,ee,ea,d3,0d,52,af,4a,
ff,fa,03,f4,d0,2a,c6,9c,a5,a5,06,5a,42,50,a2,74,77,40,75,71,1e,d8,f7,18,c6,\
"rkeysecu"=hex:cc,f4,92,e9,03,43,07,a5,be,88,15,1f,a2,23,b0,4b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6464)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-11-25 21:14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-26 02:14
ComboFix2.txt 2009-12-27 19:51

Pre-Run: 328,996,786,176 bytes free
Post-Run: 329,015,324,672 bytes free

- - End Of File - - 730E56F81F5CB678B85CCE41712C02B2

Jack&Jill
2010-11-26, 05:28
Hello rustygun01 :),

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. the ESET online scan result

rustygun01
2010-11-27, 12:39
C:\Qoobox\Quarantine\C\Windows\System32\drivers\AtiPcie.sys.vir_ Win32/Olmarik.ZC trojan
C:\Users\rusty\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\722f9ffc-2a63ab6a a variant of Java/TrojanDownloader.OpenStream.NAU trojan

Jack&Jill
2010-11-28, 08:25
Hello rustygun01 :),

Things are looking better.

The remainder of the online scan's findings include backups that were created during the course of this fix and findings from the Java cache. We will deal with them in due course.

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Open Notepad. Copy and paste the following text into it:

File::
C:\Users\rusty\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\722f9ffc-2a63ab6a

Driver::
szwcndgc

DirLook::
c:\windows\system32\world

FileLook::
c:\users\rusty\appdata\roaming\server\server.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKCttq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSmnmN]


Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into RGCF.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Did you install an Antivirus? I still could not see any signs of one. Please do so or your computer will be vulnerable to future infections. Also, I see symptoms of Windows Defender not running properly. Could you please verify if it is running or otherwise?

--------------------

I need you to upload a suspicious file to Jotti for an online scan. Click here. (http://virusscan.jotti.org/)

Click the white box beside the Browse box.
Copy and paste the following file and its path to upload:

c:\users\rusty\appdata\roaming\server\server.exe
Press Submit. The file will be submitted for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
Post the results in your next response.

Alternatively, if Jotti is busy or inaccessible, you may try VirusTotal (http://www.virustotal.com/en/indexf.html) or VirScan (http://virscan.org/) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

Please post back:
1. ComboFix log
2. the answers to my questions about Antivirus and Windows Defender
3. Jotti / VT / VirScan result
4. how is your computer running?

rustygun01
2010-11-29, 06:10
Hey Jack&Jill, I'm actually a bit confused as to why you saw windows defender not running properly. To be honest, I haven't touched windows defender since I got the computer up until I did the first combofix scan, in which I turned it off and turned it back on after the scan finished and the computer rebooted. It is on and the options are what they were when I first got my computer.

Secondly, I couldn't scan the server.exe file that you wanted me to scan. The reason why is the file isn't there anymore. When I went into roaming, there's no Server folder and I can view hidden files/folders. As a second note, I couldn't copy and paste the path into the white box at two of the sites you listed.

As for an anti-virus program, I had avast downloaded when you recommended it first, I just didn't install it because I didn't want it to mess with combofix. I just installed it moments ago though.

Finally, my computer is running well. I haven't been using it as much as I normally do, but a few of the problems that I was running into haven't been happening.

ComboFix 10-11-28.01 - rusty 11/28/2010 21:48:17.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2472 [GMT -5:00]
Running from: c:\users\rusty\Downloads\ComboFix.exe
Command switches used :: c:\users\rusty\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\rusty\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\722f9ffc-2a63ab6a"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\rusty\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\722f9ffc-2a63ab6a
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_szwcndgc


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 02:56 . 2010-11-29 02:59 -------- d-----w- c:\users\rusty\AppData\Local\temp
2010-11-29 02:56 . 2010-11-29 02:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-11-29 02:56 . 2010-11-29 02:56 -------- d-----w- c:\users\Marijan\AppData\Local\temp
2010-11-29 02:56 . 2010-11-29 02:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-26 23:15 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D8BEA4A-CA6D-4A4A-9143-9C26FA5D538B}\mpengine.dll
2010-11-26 01:49 . 2008-04-28 13:26 14352 ----a-w- c:\windows\system32\drivers\AtiPcie.sys
2010-11-24 21:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 07:39 . 2010-11-23 07:39 -------- d-----w- c:\program files\VS Revo Group
2010-11-22 17:26 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-22 17:23 . 2010-11-22 17:23 -------- d-----w- C:\MGADiagToolOutput
2010-11-21 20:46 . 2010-11-21 20:48 -------- d-----w- C:\AdobeTemp
2010-11-11 20:53 . 2010-11-21 22:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 20:38 . 2010-11-11 21:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-08 12:46 . 2010-11-08 12:46 -------- d-----w- c:\programdata\Alwil Software
2010-11-07 21:40 . 2010-11-07 21:41 -------- d-----w- c:\users\Public\CyberLink
2010-11-07 21:19 . 2010-11-07 21:20 -------- d-----w- c:\users\rusty\AppData\Roaming\CyberLink
2010-11-07 21:12 . 2010-11-07 21:12 -------- d-----w- c:\programdata\CyberLink
2010-11-06 21:40 . 2010-11-06 22:19 -------- d-----w- c:\programdata\Tunngle
2010-11-06 21:40 . 2009-09-16 12:02 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30 . 2010-11-06 01:30 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41 . 2010-11-02 14:41 -------- d-----w- c:\users\rusty\AppData\Local\Minecraft_Tools_Team
2010-11-02 14:38 . 2010-11-02 14:38 -------- d-----w- c:\users\rusty\AppData\Roaming\mts
2010-10-31 23:20 . 2010-10-31 23:21 -------- d-----w- c:\windows\system32\world

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-02 17:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 06:36 . 2010-10-14 06:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 06:36 . 2010-10-14 06:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-09-23 00:10 . 2009-04-01 21:04 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
2010-09-22 22:46 . 2010-09-22 22:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-13 13:56 . 2010-10-14 01:57 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-13 05:05 . 2010-09-13 03:04 2037862856 ----a-w- c:\users\Public\VindictusCBSetupV002.exe
2010-09-08 06:01 . 2010-10-14 01:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 01:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 01:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 01:57 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 01:57 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 01:57 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 01:57 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 01:57 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 01:57 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 01:57 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 01:57 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 01:57 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 01:57 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 01:57 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 01:57 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 01:57 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 01:57 2038272 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\world ----

2010-10-31 23:20 . 2010-10-31 23:20 1320 ----a-w- c:\windows\system32\world\0\0\c.0.0.dat
2010-10-31 23:20 . 2010-10-31 23:20 1084 ----a-w- c:\windows\system32\world\1\1m\c.1.-6.dat
2010-10-31 23:20 . 2010-10-31 23:20 1297 ----a-w- c:\windows\system32\world\1\1n\c.1.-5.dat
2010-10-31 23:20 . 2010-10-31 23:20 1223 ----a-w- c:\windows\system32\world\1\1o\c.1.-4.dat
2010-10-31 23:20 . 2010-10-31 23:21 2152 ----a-w- c:\windows\system32\world\15\10\c.-n.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 1916 ----a-w- c:\windows\system32\world\15\11\c.-n.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 1792 ----a-w- c:\windows\system32\world\15\12\c.-n.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2314 ----a-w- c:\windows\system32\world\15\13\c.-n.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2297 ----a-w- c:\windows\system32\world\15\14\c.-n.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 1825 ----a-w- c:\windows\system32\world\15\15\c.-n.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 1636 ----a-w- c:\windows\system32\world\15\16\c.-n.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2033 ----a-w- c:\windows\system32\world\15\17\c.-n.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 1949 ----a-w- c:\windows\system32\world\15\18\c.-n.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 1983 ----a-w- c:\windows\system32\world\15\19\c.-n.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 1793 ----a-w- c:\windows\system32\world\15\1a\c.-n.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2349 ----a-w- c:\windows\system32\world\15\1b\c.-n.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 1581 ----a-w- c:\windows\system32\world\15\1c\c.-n.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 1890 ----a-w- c:\windows\system32\world\15\1d\c.-n.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2214 ----a-w- c:\windows\system32\world\15\1e\c.-n.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2037 ----a-w- c:\windows\system32\world\15\1f\c.-n.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2435 ----a-w- c:\windows\system32\world\15\1g\c.-n.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1930 ----a-w- c:\windows\system32\world\15\1h\c.-n.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1841 ----a-w- c:\windows\system32\world\15\x\c.-n.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 1952 ----a-w- c:\windows\system32\world\15\y\c.-n.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2095 ----a-w- c:\windows\system32\world\15\z\c.-n.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2054 ----a-w- c:\windows\system32\world\16\10\c.-m.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2334 ----a-w- c:\windows\system32\world\16\11\c.-m.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2440 ----a-w- c:\windows\system32\world\16\12\c.-m.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 3143 ----a-w- c:\windows\system32\world\16\13\c.-m.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2855 ----a-w- c:\windows\system32\world\16\14\c.-m.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2364 ----a-w- c:\windows\system32\world\16\15\c.-m.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2667 ----a-w- c:\windows\system32\world\16\16\c.-m.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2830 ----a-w- c:\windows\system32\world\16\17\c.-m.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2207 ----a-w- c:\windows\system32\world\16\18\c.-m.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2388 ----a-w- c:\windows\system32\world\16\19\c.-m.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2753 ----a-w- c:\windows\system32\world\16\1a\c.-m.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2840 ----a-w- c:\windows\system32\world\16\1b\c.-m.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3051 ----a-w- c:\windows\system32\world\16\1c\c.-m.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 2371 ----a-w- c:\windows\system32\world\16\1d\c.-m.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2896 ----a-w- c:\windows\system32\world\16\1e\c.-m.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3056 ----a-w- c:\windows\system32\world\16\1f\c.-m.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2846 ----a-w- c:\windows\system32\world\16\1g\c.-m.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2302 ----a-w- c:\windows\system32\world\16\1h\c.-m.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 2683 ----a-w- c:\windows\system32\world\16\x\c.-m.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2680 ----a-w- c:\windows\system32\world\16\y\c.-m.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2350 ----a-w- c:\windows\system32\world\16\z\c.-m.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2235 ----a-w- c:\windows\system32\world\17\10\c.-l.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2617 ----a-w- c:\windows\system32\world\17\11\c.-l.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2428 ----a-w- c:\windows\system32\world\17\12\c.-l.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2792 ----a-w- c:\windows\system32\world\17\13\c.-l.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3178 ----a-w- c:\windows\system32\world\17\14\c.-l.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2882 ----a-w- c:\windows\system32\world\17\15\c.-l.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3211 ----a-w- c:\windows\system32\world\17\16\c.-l.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3068 ----a-w- c:\windows\system32\world\17\17\c.-l.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2538 ----a-w- c:\windows\system32\world\17\18\c.-l.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2857 ----a-w- c:\windows\system32\world\17\19\c.-l.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3171 ----a-w- c:\windows\system32\world\17\1a\c.-l.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2604 ----a-w- c:\windows\system32\world\17\1b\c.-l.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2651 ----a-w- c:\windows\system32\world\17\1c\c.-l.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 2545 ----a-w- c:\windows\system32\world\17\1d\c.-l.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2549 ----a-w- c:\windows\system32\world\17\1e\c.-l.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2727 ----a-w- c:\windows\system32\world\17\1f\c.-l.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2469 ----a-w- c:\windows\system32\world\17\1g\c.-l.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1973 ----a-w- c:\windows\system32\world\17\1h\c.-l.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 2480 ----a-w- c:\windows\system32\world\17\x\c.-l.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 3096 ----a-w- c:\windows\system32\world\17\y\c.-l.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2357 ----a-w- c:\windows\system32\world\17\z\c.-l.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2532 ----a-w- c:\windows\system32\world\18\10\c.-k.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2877 ----a-w- c:\windows\system32\world\18\11\c.-k.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2089 ----a-w- c:\windows\system32\world\18\12\c.-k.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2919 ----a-w- c:\windows\system32\world\18\13\c.-k.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3452 ----a-w- c:\windows\system32\world\18\14\c.-k.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2726 ----a-w- c:\windows\system32\world\18\15\c.-k.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2994 ----a-w- c:\windows\system32\world\18\16\c.-k.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2725 ----a-w- c:\windows\system32\world\18\17\c.-k.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2708 ----a-w- c:\windows\system32\world\18\18\c.-k.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2897 ----a-w- c:\windows\system32\world\18\19\c.-k.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3009 ----a-w- c:\windows\system32\world\18\1a\c.-k.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2590 ----a-w- c:\windows\system32\world\18\1b\c.-k.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2513 ----a-w- c:\windows\system32\world\18\1c\c.-k.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 2480 ----a-w- c:\windows\system32\world\18\1d\c.-k.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2700 ----a-w- c:\windows\system32\world\18\1e\c.-k.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2495 ----a-w- c:\windows\system32\world\18\1f\c.-k.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2098 ----a-w- c:\windows\system32\world\18\1g\c.-k.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1592 ----a-w- c:\windows\system32\world\18\1h\c.-k.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 2063 ----a-w- c:\windows\system32\world\18\x\c.-k.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2528 ----a-w- c:\windows\system32\world\18\y\c.-k.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2466 ----a-w- c:\windows\system32\world\18\z\c.-k.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2293 ----a-w- c:\windows\system32\world\19\10\c.-j.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2180 ----a-w- c:\windows\system32\world\19\11\c.-j.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2238 ----a-w- c:\windows\system32\world\19\12\c.-j.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 3021 ----a-w- c:\windows\system32\world\19\13\c.-j.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3421 ----a-w- c:\windows\system32\world\19\14\c.-j.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2212 ----a-w- c:\windows\system32\world\19\15\c.-j.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2209 ----a-w- c:\windows\system32\world\19\16\c.-j.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2374 ----a-w- c:\windows\system32\world\19\17\c.-j.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2375 ----a-w- c:\windows\system32\world\19\18\c.-j.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2883 ----a-w- c:\windows\system32\world\19\19\c.-j.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2576 ----a-w- c:\windows\system32\world\19\1a\c.-j.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2811 ----a-w- c:\windows\system32\world\19\1b\c.-j.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2836 ----a-w- c:\windows\system32\world\19\1c\c.-j.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3270 ----a-w- c:\windows\system32\world\19\1d\c.-j.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2689 ----a-w- c:\windows\system32\world\19\1e\c.-j.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2526 ----a-w- c:\windows\system32\world\19\1f\c.-j.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2591 ----a-w- c:\windows\system32\world\19\1g\c.-j.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1712 ----a-w- c:\windows\system32\world\19\1h\c.-j.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 2122 ----a-w- c:\windows\system32\world\19\x\c.-j.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2602 ----a-w- c:\windows\system32\world\19\y\c.-j.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2274 ----a-w- c:\windows\system32\world\19\z\c.-j.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2033 ----a-w- c:\windows\system32\world\1a\10\c.-i.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2132 ----a-w- c:\windows\system32\world\1a\11\c.-i.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2052 ----a-w- c:\windows\system32\world\1a\12\c.-i.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2545 ----a-w- c:\windows\system32\world\1a\13\c.-i.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3442 ----a-w- c:\windows\system32\world\1a\14\c.-i.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2594 ----a-w- c:\windows\system32\world\1a\15\c.-i.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2297 ----a-w- c:\windows\system32\world\1a\16\c.-i.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3343 ----a-w- c:\windows\system32\world\1a\17\c.-i.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 4190 ----a-w- c:\windows\system32\world\1a\18\c.-i.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3311 ----a-w- c:\windows\system32\world\1a\19\c.-i.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2695 ----a-w- c:\windows\system32\world\1a\1a\c.-i.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2988 ----a-w- c:\windows\system32\world\1a\1b\c.-i.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3167 ----a-w- c:\windows\system32\world\1a\1c\c.-i.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3519 ----a-w- c:\windows\system32\world\1a\1d\c.-i.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3005 ----a-w- c:\windows\system32\world\1a\1e\c.-i.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2678 ----a-w- c:\windows\system32\world\1a\1f\c.-i.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2833 ----a-w- c:\windows\system32\world\1a\1g\c.-i.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1977 ----a-w- c:\windows\system32\world\1a\1h\c.-i.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1467 ----a-w- c:\windows\system32\world\1a\1k\c.-i.-8.dat
2010-10-31 23:20 . 2010-10-31 23:21 1658 ----a-w- c:\windows\system32\world\1a\x\c.-i.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2326 ----a-w- c:\windows\system32\world\1a\y\c.-i.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2311 ----a-w- c:\windows\system32\world\1a\z\c.-i.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2297 ----a-w- c:\windows\system32\world\1b\10\c.-h.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2453 ----a-w- c:\windows\system32\world\1b\11\c.-h.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2120 ----a-w- c:\windows\system32\world\1b\12\c.-h.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2693 ----a-w- c:\windows\system32\world\1b\13\c.-h.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 4133 ----a-w- c:\windows\system32\world\1b\14\c.-h.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2802 ----a-w- c:\windows\system32\world\1b\15\c.-h.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2614 ----a-w- c:\windows\system32\world\1b\16\c.-h.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3699 ----a-w- c:\windows\system32\world\1b\17\c.-h.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 4234 ----a-w- c:\windows\system32\world\1b\18\c.-h.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3983 ----a-w- c:\windows\system32\world\1b\19\c.-h.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3151 ----a-w- c:\windows\system32\world\1b\1a\c.-h.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 3686 ----a-w- c:\windows\system32\world\1b\1b\c.-h.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 4213 ----a-w- c:\windows\system32\world\1b\1c\c.-h.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 4226 ----a-w- c:\windows\system32\world\1b\1d\c.-h.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 4191 ----a-w- c:\windows\system32\world\1b\1e\c.-h.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3356 ----a-w- c:\windows\system32\world\1b\1f\c.-h.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3577 ----a-w- c:\windows\system32\world\1b\1g\c.-h.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2389 ----a-w- c:\windows\system32\world\1b\1h\c.-h.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1291 ----a-w- c:\windows\system32\world\1b\1k\c.-h.-8.dat
2010-10-31 23:20 . 2010-10-31 23:21 1980 ----a-w- c:\windows\system32\world\1b\x\c.-h.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2383 ----a-w- c:\windows\system32\world\1b\y\c.-h.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2217 ----a-w- c:\windows\system32\world\1b\z\c.-h.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2855 ----a-w- c:\windows\system32\world\1c\10\c.-g.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2129 ----a-w- c:\windows\system32\world\1c\11\c.-g.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2041 ----a-w- c:\windows\system32\world\1c\12\c.-g.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2737 ----a-w- c:\windows\system32\world\1c\13\c.-g.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3033 ----a-w- c:\windows\system32\world\1c\14\c.-g.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 3167 ----a-w- c:\windows\system32\world\1c\15\c.-g.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2778 ----a-w- c:\windows\system32\world\1c\16\c.-g.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2596 ----a-w- c:\windows\system32\world\1c\17\c.-g.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2947 ----a-w- c:\windows\system32\world\1c\18\c.-g.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3504 ----a-w- c:\windows\system32\world\1c\19\c.-g.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2822 ----a-w- c:\windows\system32\world\1c\1a\c.-g.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 4037 ----a-w- c:\windows\system32\world\1c\1b\c.-g.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3985 ----a-w- c:\windows\system32\world\1c\1c\c.-g.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3932 ----a-w- c:\windows\system32\world\1c\1d\c.-g.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 4381 ----a-w- c:\windows\system32\world\1c\1e\c.-g.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 4736 ----a-w- c:\windows\system32\world\1c\1f\c.-g.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 4828 ----a-w- c:\windows\system32\world\1c\1g\c.-g.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 3176 ----a-w- c:\windows\system32\world\1c\1h\c.-g.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1450 ----a-w- c:\windows\system32\world\1c\1i\c.-g.-a.dat
2010-10-31 23:20 . 2010-10-31 23:21 2100 ----a-w- c:\windows\system32\world\1c\x\c.-g.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2876 ----a-w- c:\windows\system32\world\1c\y\c.-g.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2905 ----a-w- c:\windows\system32\world\1c\z\c.-g.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2761 ----a-w- c:\windows\system32\world\1d\10\c.-f.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2035 ----a-w- c:\windows\system32\world\1d\11\c.-f.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2038 ----a-w- c:\windows\system32\world\1d\12\c.-f.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1940 ----a-w- c:\windows\system32\world\1d\13\c.-f.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2228 ----a-w- c:\windows\system32\world\1d\14\c.-f.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2695 ----a-w- c:\windows\system32\world\1d\15\c.-f.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3271 ----a-w- c:\windows\system32\world\1d\16\c.-f.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2941 ----a-w- c:\windows\system32\world\1d\17\c.-f.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 3165 ----a-w- c:\windows\system32\world\1d\18\c.-f.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3615 ----a-w- c:\windows\system32\world\1d\19\c.-f.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2810 ----a-w- c:\windows\system32\world\1d\1a\c.-f.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2697 ----a-w- c:\windows\system32\world\1d\1b\c.-f.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2647 ----a-w- c:\windows\system32\world\1d\1c\c.-f.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3095 ----a-w- c:\windows\system32\world\1d\1d\c.-f.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 4233 ----a-w- c:\windows\system32\world\1d\1e\c.-f.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3839 ----a-w- c:\windows\system32\world\1d\1f\c.-f.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3870 ----a-w- c:\windows\system32\world\1d\1g\c.-f.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 3111 ----a-w- c:\windows\system32\world\1d\1h\c.-f.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1788 ----a-w- c:\windows\system32\world\1d\x\c.-f.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2506 ----a-w- c:\windows\system32\world\1d\y\c.-f.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2750 ----a-w- c:\windows\system32\world\1d\z\c.-f.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2693 ----a-w- c:\windows\system32\world\1e\10\c.-e.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2409 ----a-w- c:\windows\system32\world\1e\11\c.-e.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2114 ----a-w- c:\windows\system32\world\1e\12\c.-e.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2393 ----a-w- c:\windows\system32\world\1e\13\c.-e.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2527 ----a-w- c:\windows\system32\world\1e\14\c.-e.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2663 ----a-w- c:\windows\system32\world\1e\15\c.-e.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2569 ----a-w- c:\windows\system32\world\1e\16\c.-e.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2448 ----a-w- c:\windows\system32\world\1e\17\c.-e.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 3039 ----a-w- c:\windows\system32\world\1e\18\c.-e.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3720 ----a-w- c:\windows\system32\world\1e\19\c.-e.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3067 ----a-w- c:\windows\system32\world\1e\1a\c.-e.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2991 ----a-w- c:\windows\system32\world\1e\1b\c.-e.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3027 ----a-w- c:\windows\system32\world\1e\1c\c.-e.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3893 ----a-w- c:\windows\system32\world\1e\1d\c.-e.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 4152 ----a-w- c:\windows\system32\world\1e\1e\c.-e.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2963 ----a-w- c:\windows\system32\world\1e\1f\c.-e.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2921 ----a-w- c:\windows\system32\world\1e\1g\c.-e.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2556 ----a-w- c:\windows\system32\world\1e\1h\c.-e.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1528 ----a-w- c:\windows\system32\world\1e\1k\c.-e.-8.dat
2010-10-31 23:20 . 2010-10-31 23:21 1644 ----a-w- c:\windows\system32\world\1e\1n\c.-e.-5.dat
2010-10-31 23:20 . 2010-10-31 23:21 1760 ----a-w- c:\windows\system32\world\1e\x\c.-e.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2944 ----a-w- c:\windows\system32\world\1e\y\c.-e.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 3519 ----a-w- c:\windows\system32\world\1e\z\c.-e.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2433 ----a-w- c:\windows\system32\world\1f\10\c.-d.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 1962 ----a-w- c:\windows\system32\world\1f\11\c.-d.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2384 ----a-w- c:\windows\system32\world\1f\12\c.-d.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2096 ----a-w- c:\windows\system32\world\1f\13\c.-d.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2523 ----a-w- c:\windows\system32\world\1f\14\c.-d.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2468 ----a-w- c:\windows\system32\world\1f\15\c.-d.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2364 ----a-w- c:\windows\system32\world\1f\16\c.-d.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2632 ----a-w- c:\windows\system32\world\1f\17\c.-d.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 3482 ----a-w- c:\windows\system32\world\1f\18\c.-d.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 4079 ----a-w- c:\windows\system32\world\1f\19\c.-d.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2965 ----a-w- c:\windows\system32\world\1f\1a\c.-d.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2922 ----a-w- c:\windows\system32\world\1f\1b\c.-d.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2966 ----a-w- c:\windows\system32\world\1f\1c\c.-d.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3295 ----a-w- c:\windows\system32\world\1f\1d\c.-d.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3431 ----a-w- c:\windows\system32\world\1f\1e\c.-d.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3281 ----a-w- c:\windows\system32\world\1f\1f\c.-d.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3064 ----a-w- c:\windows\system32\world\1f\1g\c.-d.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2306 ----a-w- c:\windows\system32\world\1f\1h\c.-d.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1744 ----a-w- c:\windows\system32\world\1f\x\c.-d.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2194 ----a-w- c:\windows\system32\world\1f\y\c.-d.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2978 ----a-w- c:\windows\system32\world\1f\z\c.-d.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2163 ----a-w- c:\windows\system32\world\1g\10\c.-c.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 1875 ----a-w- c:\windows\system32\world\1g\11\c.-c.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 1901 ----a-w- c:\windows\system32\world\1g\12\c.-c.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2318 ----a-w- c:\windows\system32\world\1g\13\c.-c.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3540 ----a-w- c:\windows\system32\world\1g\14\c.-c.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2842 ----a-w- c:\windows\system32\world\1g\15\c.-c.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3462 ----a-w- c:\windows\system32\world\1g\16\c.-c.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3505 ----a-w- c:\windows\system32\world\1g\17\c.-c.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 3050 ----a-w- c:\windows\system32\world\1g\18\c.-c.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3308 ----a-w- c:\windows\system32\world\1g\19\c.-c.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3069 ----a-w- c:\windows\system32\world\1g\1a\c.-c.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 3222 ----a-w- c:\windows\system32\world\1g\1b\c.-c.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3018 ----a-w- c:\windows\system32\world\1g\1c\c.-c.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3414 ----a-w- c:\windows\system32\world\1g\1d\c.-c.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2633 ----a-w- c:\windows\system32\world\1g\1e\c.-c.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2983 ----a-w- c:\windows\system32\world\1g\1f\c.-c.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3614 ----a-w- c:\windows\system32\world\1g\1g\c.-c.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2653 ----a-w- c:\windows\system32\world\1g\1h\c.-c.-b.dat
2010-10-31 23:20 . 2010-10-31 23:21 1749 ----a-w- c:\windows\system32\world\1g\x\c.-c.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2275 ----a-w- c:\windows\system32\world\1g\y\c.-c.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2853 ----a-w- c:\windows\system32\world\1g\z\c.-c.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2300 ----a-w- c:\windows\system32\world\1h\10\c.-b.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 1685 ----a-w- c:\windows\system32\world\1h\11\c.-b.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 1855 ----a-w- c:\windows\system32\world\1h\12\c.-b.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1981 ----a-w- c:\windows\system32\world\1h\13\c.-b.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 3142 ----a-w- c:\windows\system32\world\1h\14\c.-b.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 3321 ----a-w- c:\windows\system32\world\1h\15\c.-b.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3472 ----a-w- c:\windows\system32\world\1h\16\c.-b.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3497 ----a-w- c:\windows\system32\world\1h\17\c.-b.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2918 ----a-w- c:\windows\system32\world\1h\18\c.-b.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 3126 ----a-w- c:\windows\system32\world\1h\19\c.-b.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2883 ----a-w- c:\windows\system32\world\1h\1a\c.-b.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 3320 ----a-w- c:\windows\system32\world\1h\1b\c.-b.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3270 ----a-w- c:\windows\system32\world\1h\1c\c.-b.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3060 ----a-w- c:\windows\system32\world\1h\1d\c.-b.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2999 ----a-w- c:\windows\system32\world\1h\1e\c.-b.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3738 ----a-w- c:\windows\system32\world\1h\1f\c.-b.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2658 ----a-w- c:\windows\system32\world\1h\1g\c.-b.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1881 ----a-w- c:\windows\system32\world\1h\1h\c.-b.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1289 ----a-w- c:\windows\system32\world\1h\1l\c.-b.-7.dat
2010-10-31 23:20 . 2010-10-31 23:20 1445 ----a-w- c:\windows\system32\world\1h\1m\c.-b.-6.dat
2010-10-31 23:20 . 2010-10-31 23:20 1663 ----a-w- c:\windows\system32\world\1h\1n\c.-b.-5.dat
2010-10-31 23:20 . 2010-10-31 23:21 1826 ----a-w- c:\windows\system32\world\1h\x\c.-b.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2405 ----a-w- c:\windows\system32\world\1h\y\c.-b.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2384 ----a-w- c:\windows\system32\world\1h\z\c.-b.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2318 ----a-w- c:\windows\system32\world\1i\10\c.-a.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 1924 ----a-w- c:\windows\system32\world\1i\11\c.-a.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 1869 ----a-w- c:\windows\system32\world\1i\12\c.-a.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1958 ----a-w- c:\windows\system32\world\1i\13\c.-a.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2143 ----a-w- c:\windows\system32\world\1i\14\c.-a.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2710 ----a-w- c:\windows\system32\world\1i\15\c.-a.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3352 ----a-w- c:\windows\system32\world\1i\16\c.-a.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3310 ----a-w- c:\windows\system32\world\1i\17\c.-a.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 3040 ----a-w- c:\windows\system32\world\1i\18\c.-a.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2919 ----a-w- c:\windows\system32\world\1i\19\c.-a.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2739 ----a-w- c:\windows\system32\world\1i\1a\c.-a.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2766 ----a-w- c:\windows\system32\world\1i\1b\c.-a.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2900 ----a-w- c:\windows\system32\world\1i\1c\c.-a.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 2826 ----a-w- c:\windows\system32\world\1i\1d\c.-a.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2650 ----a-w- c:\windows\system32\world\1i\1e\c.-a.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3194 ----a-w- c:\windows\system32\world\1i\1f\c.-a.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2600 ----a-w- c:\windows\system32\world\1i\1g\c.-a.-c.dat
2010-10-31 23:20 . 2010-10-31 23:20 2377 ----a-w- c:\windows\system32\world\1i\1h\c.-a.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1519 ----a-w- c:\windows\system32\world\1i\1i\c.-a.-a.dat
2010-10-31 23:20 . 2010-10-31 23:20 1458 ----a-w- c:\windows\system32\world\1i\1k\c.-a.-8.dat
2010-10-31 23:20 . 2010-10-31 23:21 1845 ----a-w- c:\windows\system32\world\1i\x\c.-a.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2597 ----a-w- c:\windows\system32\world\1i\y\c.-a.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2167 ----a-w- c:\windows\system32\world\1i\z\c.-a.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2381 ----a-w- c:\windows\system32\world\1j\10\c.-9.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2517 ----a-w- c:\windows\system32\world\1j\11\c.-9.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2308 ----a-w- c:\windows\system32\world\1j\12\c.-9.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1965 ----a-w- c:\windows\system32\world\1j\13\c.-9.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2226 ----a-w- c:\windows\system32\world\1j\14\c.-9.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2662 ----a-w- c:\windows\system32\world\1j\15\c.-9.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 3256 ----a-w- c:\windows\system32\world\1j\16\c.-9.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3214 ----a-w- c:\windows\system32\world\1j\17\c.-9.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2819 ----a-w- c:\windows\system32\world\1j\18\c.-9.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2362 ----a-w- c:\windows\system32\world\1j\19\c.-9.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2329 ----a-w- c:\windows\system32\world\1j\1a\c.-9.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2651 ----a-w- c:\windows\system32\world\1j\1b\c.-9.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3220 ----a-w- c:\windows\system32\world\1j\1c\c.-9.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3232 ----a-w- c:\windows\system32\world\1j\1d\c.-9.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2905 ----a-w- c:\windows\system32\world\1j\1e\c.-9.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2815 ----a-w- c:\windows\system32\world\1j\1f\c.-9.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2522 ----a-w- c:\windows\system32\world\1j\1g\c.-9.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1845 ----a-w- c:\windows\system32\world\1j\1h\c.-9.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1897 ----a-w- c:\windows\system32\world\1j\1j\c.-9.-9.dat
2010-10-31 23:20 . 2010-10-31 23:20 2054 ----a-w- c:\windows\system32\world\1j\1k\c.-9.-8.dat
2010-10-31 23:20 . 2010-10-31 23:20 1763 ----a-w- c:\windows\system32\world\1j\1l\c.-9.-7.dat
2010-10-31 23:20 . 2010-10-31 23:21 2357 ----a-w- c:\windows\system32\world\1j\x\c.-9.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2462 ----a-w- c:\windows\system32\world\1j\y\c.-9.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2847 ----a-w- c:\windows\system32\world\1j\z\c.-9.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2995 ----a-w- c:\windows\system32\world\1k\10\c.-8.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2730 ----a-w- c:\windows\system32\world\1k\11\c.-8.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2547 ----a-w- c:\windows\system32\world\1k\12\c.-8.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2065 ----a-w- c:\windows\system32\world\1k\13\c.-8.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2022 ----a-w- c:\windows\system32\world\1k\14\c.-8.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2751 ----a-w- c:\windows\system32\world\1k\15\c.-8.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2519 ----a-w- c:\windows\system32\world\1k\16\c.-8.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 3159 ----a-w- c:\windows\system32\world\1k\17\c.-8.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2394 ----a-w- c:\windows\system32\world\1k\18\c.-8.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2818 ----a-w- c:\windows\system32\world\1k\19\c.-8.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 3087 ----a-w- c:\windows\system32\world\1k\1a\c.-8.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 3746 ----a-w- c:\windows\system32\world\1k\1b\c.-8.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3181 ----a-w- c:\windows\system32\world\1k\1c\c.-8.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3537 ----a-w- c:\windows\system32\world\1k\1d\c.-8.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3033 ----a-w- c:\windows\system32\world\1k\1e\c.-8.-e.dat
2010-10-31 23:20 . 2010-10-31 23:20 3087 ----a-w- c:\windows\system32\world\1k\1f\c.-8.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3211 ----a-w- c:\windows\system32\world\1k\1g\c.-8.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2573 ----a-w- c:\windows\system32\world\1k\1h\c.-8.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1858 ----a-w- c:\windows\system32\world\1k\1j\c.-8.-9.dat
2010-10-31 23:20 . 2010-10-31 23:20 2106 ----a-w- c:\windows\system32\world\1k\1k\c.-8.-8.dat
2010-10-31 23:20 . 2010-10-31 23:21 2326 ----a-w- c:\windows\system32\world\1k\x\c.-8.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2500 ----a-w- c:\windows\system32\world\1k\y\c.-8.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 3308 ----a-w- c:\windows\system32\world\1k\z\c.-8.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 3115 ----a-w- c:\windows\system32\world\1l\10\c.-7.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 3882 ----a-w- c:\windows\system32\world\1l\11\c.-7.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 3446 ----a-w- c:\windows\system32\world\1l\12\c.-7.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2000 ----a-w- c:\windows\system32\world\1l\13\c.-7.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2143 ----a-w- c:\windows\system32\world\1l\14\c.-7.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 2315 ----a-w- c:\windows\system32\world\1l\15\c.-7.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2725 ----a-w- c:\windows\system32\world\1l\16\c.-7.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2178 ----a-w- c:\windows\system32\world\1l\17\c.-7.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2364 ----a-w- c:\windows\system32\world\1l\18\c.-7.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2101 ----a-w- c:\windows\system32\world\1l\19\c.-7.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2650 ----a-w- c:\windows\system32\world\1l\1a\c.-7.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 3171 ----a-w- c:\windows\system32\world\1l\1b\c.-7.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3112 ----a-w- c:\windows\system32\world\1l\1c\c.-7.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3002 ----a-w- c:\windows\system32\world\1l\1d\c.-7.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 2985 ----a-w- c:\windows\system32\world\1l\1e\c.-7.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 2840 ----a-w- c:\windows\system32\world\1l\1f\c.-7.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3471 ----a-w- c:\windows\system32\world\1l\1g\c.-7.-c.dat
2010-10-31 23:20 . 2010-10-31 23:20 2633 ----a-w- c:\windows\system32\world\1l\1h\c.-7.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1647 ----a-w- c:\windows\system32\world\1l\1j\c.-7.-9.dat
2010-10-31 23:20 . 2010-10-31 23:20 1365 ----a-w- c:\windows\system32\world\1l\1n\c.-7.-5.dat
2010-10-31 23:20 . 2010-10-31 23:21 2471 ----a-w- c:\windows\system32\world\1l\x\c.-7.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 2678 ----a-w- c:\windows\system32\world\1l\y\c.-7.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 3344 ----a-w- c:\windows\system32\world\1l\z\c.-7.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 5221 ----a-w- c:\windows\system32\world\1m\10\c.-6.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 3646 ----a-w- c:\windows\system32\world\1m\11\c.-6.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 2849 ----a-w- c:\windows\system32\world\1m\12\c.-6.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1771 ----a-w- c:\windows\system32\world\1m\13\c.-6.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 2099 ----a-w- c:\windows\system32\world\1m\14\c.-6.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 1911 ----a-w- c:\windows\system32\world\1m\15\c.-6.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2092 ----a-w- c:\windows\system32\world\1m\16\c.-6.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2350 ----a-w- c:\windows\system32\world\1m\17\c.-6.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2132 ----a-w- c:\windows\system32\world\1m\18\c.-6.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2227 ----a-w- c:\windows\system32\world\1m\19\c.-6.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2288 ----a-w- c:\windows\system32\world\1m\1a\c.-6.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2759 ----a-w- c:\windows\system32\world\1m\1b\c.-6.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3569 ----a-w- c:\windows\system32\world\1m\1c\c.-6.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3686 ----a-w- c:\windows\system32\world\1m\1d\c.-6.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3202 ----a-w- c:\windows\system32\world\1m\1e\c.-6.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3309 ----a-w- c:\windows\system32\world\1m\1f\c.-6.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 3208 ----a-w- c:\windows\system32\world\1m\1g\c.-6.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2594 ----a-w- c:\windows\system32\world\1m\1h\c.-6.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1796 ----a-w- c:\windows\system32\world\1m\1i\c.-6.-a.dat
2010-10-31 23:20 . 2010-10-31 23:20 1373 ----a-w- c:\windows\system32\world\1m\1j\c.-6.-9.dat
2010-10-31 23:20 . 2010-10-31 23:21 2355 ----a-w- c:\windows\system32\world\1m\x\c.-6.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 3333 ----a-w- c:\windows\system32\world\1m\y\c.-6.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 4358 ----a-w- c:\windows\system32\world\1m\z\c.-6.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 4381 ----a-w- c:\windows\system32\world\1n\10\c.-5.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 3356 ----a-w- c:\windows\system32\world\1n\11\c.-5.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 3373 ----a-w- c:\windows\system32\world\1n\12\c.-5.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1935 ----a-w- c:\windows\system32\world\1n\13\c.-5.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 1964 ----a-w- c:\windows\system32\world\1n\14\c.-5.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 1970 ----a-w- c:\windows\system32\world\1n\15\c.-5.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 2081 ----a-w- c:\windows\system32\world\1n\16\c.-5.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2178 ----a-w- c:\windows\system32\world\1n\17\c.-5.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2077 ----a-w- c:\windows\system32\world\1n\18\c.-5.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2295 ----a-w- c:\windows\system32\world\1n\19\c.-5.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2248 ----a-w- c:\windows\system32\world\1n\1a\c.-5.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2486 ----a-w- c:\windows\system32\world\1n\1b\c.-5.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3506 ----a-w- c:\windows\system32\world\1n\1c\c.-5.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3127 ----a-w- c:\windows\system32\world\1n\1d\c.-5.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3194 ----a-w- c:\windows\system32\world\1n\1e\c.-5.-e.dat
2010-10-31 23:20 . 2010-10-31 23:21 3385 ----a-w- c:\windows\system32\world\1n\1f\c.-5.-d.dat
2010-10-31 23:20 . 2010-10-31 23:20 3889 ----a-w- c:\windows\system32\world\1n\1g\c.-5.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 3278 ----a-w- c:\windows\system32\world\1n\1h\c.-5.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 2343 ----a-w- c:\windows\system32\world\1n\1i\c.-5.-a.dat
2010-10-31 23:20 . 2010-10-31 23:20 1468 ----a-w- c:\windows\system32\world\1n\1l\c.-5.-7.dat
2010-10-31 23:20 . 2010-10-31 23:20 1485 ----a-w- c:\windows\system32\world\1n\1o\c.-5.-4.dat
2010-10-31 23:20 . 2010-10-31 23:21 2463 ----a-w- c:\windows\system32\world\1n\x\c.-5.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 3673 ----a-w- c:\windows\system32\world\1n\y\c.-5.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 5116 ----a-w- c:\windows\system32\world\1n\z\c.-5.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 4472 ----a-w- c:\windows\system32\world\1o\10\c.-4.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 4150 ----a-w- c:\windows\system32\world\1o\11\c.-4.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 3373 ----a-w- c:\windows\system32\world\1o\12\c.-4.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 2271 ----a-w- c:\windows\system32\world\1o\13\c.-4.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 1990 ----a-w- c:\windows\system32\world\1o\14\c.-4.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 1896 ----a-w- c:\windows\system32\world\1o\15\c.-4.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 1854 ----a-w- c:\windows\system32\world\1o\16\c.-4.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 2013 ----a-w- c:\windows\system32\world\1o\17\c.-4.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 2159 ----a-w- c:\windows\system32\world\1o\18\c.-4.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2159 ----a-w- c:\windows\system32\world\1o\19\c.-4.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2389 ----a-w- c:\windows\system32\world\1o\1a\c.-4.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2522 ----a-w- c:\windows\system32\world\1o\1b\c.-4.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 3259 ----a-w- c:\windows\system32\world\1o\1c\c.-4.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3099 ----a-w- c:\windows\system32\world\1o\1d\c.-4.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3178 ----a-w- c:\windows\system32\world\1o\1e\c.-4.-e.dat
2010-10-31 23:20 . 2010-10-31 23:20 4466 ----a-w- c:\windows\system32\world\1o\1f\c.-4.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 4053 ----a-w- c:\windows\system32\world\1o\1g\c.-4.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 2437 ----a-w- c:\windows\system32\world\1o\1h\c.-4.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1998 ----a-w- c:\windows\system32\world\1o\1i\c.-4.-a.dat
2010-10-31 23:20 . 2010-10-31 23:20 1363 ----a-w- c:\windows\system32\world\1o\1m\c.-4.-6.dat
2010-10-31 23:20 . 2010-10-31 23:20 1350 ----a-w- c:\windows\system32\world\1o\1n\c.-4.-5.dat
2010-10-31 23:20 . 2010-10-31 23:20 1256 ----a-w- c:\windows\system32\world\1o\1q\c.-4.-2.dat
2010-10-31 23:20 . 2010-10-31 23:20 1061 ----a-w- c:\windows\system32\world\1o\1r\c.-4.-1.dat
2010-10-31 23:20 . 2010-10-31 23:21 2869 ----a-w- c:\windows\system32\world\1o\x\c.-4.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 3360 ----a-w- c:\windows\system32\world\1o\y\c.-4.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 4954 ----a-w- c:\windows\system32\world\1o\z\c.-4.-t.dat
2010-10-31 23:20 . 2010-10-31 23:21 2697 ----a-w- c:\windows\system32\world\1p\10\c.-3.-s.dat
2010-10-31 23:20 . 2010-10-31 23:21 2625 ----a-w- c:\windows\system32\world\1p\11\c.-3.-r.dat
2010-10-31 23:20 . 2010-10-31 23:21 1936 ----a-w- c:\windows\system32\world\1p\12\c.-3.-q.dat
2010-10-31 23:20 . 2010-10-31 23:21 1694 ----a-w- c:\windows\system32\world\1p\13\c.-3.-p.dat
2010-10-31 23:20 . 2010-10-31 23:21 1685 ----a-w- c:\windows\system32\world\1p\14\c.-3.-o.dat
2010-10-31 23:20 . 2010-10-31 23:21 1755 ----a-w- c:\windows\system32\world\1p\15\c.-3.-n.dat
2010-10-31 23:20 . 2010-10-31 23:21 1607 ----a-w- c:\windows\system32\world\1p\16\c.-3.-m.dat
2010-10-31 23:20 . 2010-10-31 23:21 1727 ----a-w- c:\windows\system32\world\1p\17\c.-3.-l.dat
2010-10-31 23:20 . 2010-10-31 23:21 1617 ----a-w- c:\windows\system32\world\1p\18\c.-3.-k.dat
2010-10-31 23:20 . 2010-10-31 23:21 2191 ----a-w- c:\windows\system32\world\1p\19\c.-3.-j.dat
2010-10-31 23:20 . 2010-10-31 23:21 2150 ----a-w- c:\windows\system32\world\1p\1a\c.-3.-i.dat
2010-10-31 23:20 . 2010-10-31 23:21 2456 ----a-w- c:\windows\system32\world\1p\1b\c.-3.-h.dat
2010-10-31 23:20 . 2010-10-31 23:21 2686 ----a-w- c:\windows\system32\world\1p\1c\c.-3.-g.dat
2010-10-31 23:20 . 2010-10-31 23:21 3340 ----a-w- c:\windows\system32\world\1p\1d\c.-3.-f.dat
2010-10-31 23:20 . 2010-10-31 23:21 3010 ----a-w- c:\windows\system32\world\1p\1e\c.-3.-e.dat
2010-10-31 23:20 . 2010-10-31 23:20 3626 ----a-w- c:\windows\system32\world\1p\1f\c.-3.-d.dat
2010-10-31 23:20 . 2010-10-31 23:21 2979 ----a-w- c:\windows\system32\world\1p\1g\c.-3.-c.dat
2010-10-31 23:20 . 2010-10-31 23:21 1917 ----a-w- c:\windows\system32\world\1p\1h\c.-3.-b.dat
2010-10-31 23:20 . 2010-10-31 23:20 1576 ----a-w- c:\windows\system32\world\1p\1p\c.-3.-3.dat
2010-10-31 23:20 . 2010-10-31 23:21 3139 ----a-w- c:\windows\system32\world\1p\x\c.-3.-v.dat
2010-10-31 23:20 . 2010-10-31 23:21 3631 ----a-w- c:\windows\system32\world\1p\y\c.-3.-u.dat
2010-10-31 23:20 . 2010-10-31 23:21 2768 ----a-w- c:\windows\system32\world\1p\z\c.-3.-t.dat
2010-10-31 23:20 . 2010-10-31 23:20 1044 ----a-w- c:\windows\system32\world\1q\1m\c.-2.-6.dat
2010-10-31 23:20 . 2010-10-31 23:20 1234 ----a-w- c:\windows\system32\world\1r\1q\c.-1.-2.dat
2010-10-31 23:20 . 2010-10-31 23:20 1329 ----a-w- c:\windows\system32\world\1r\1r\c.-1.-1.dat
2010-10-31 23:20 . 2010-10-31 23:21 128 ----a-w- c:\windows\system32\world\level.dat
2010-10-31 23:20 . 2010-10-31 23:21 128 ----a-w- c:\windows\system32\world\level.dat_old
2010-10-31 23:20 . 2010-10-31 23:20 8 ----a-w- c:\windows\system32\world\session.lock


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\CCleaner.exe]
path=CCleaner.exe
backup=c:\windows\pss\CCleaner.exe.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2009-10-28 03:40 257440 ----a-w- c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-08-26 03:18 16986112 ----a-r- c:\program files\VIA\VIAudioi\VDeck\VDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 22:11 565008 ----a-w- c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 22:15 2407184 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 20:37 13939816 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 20:37 110696 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-09-16 01:47 2969496 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-16 20:47 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-03-25 716272]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-07-25 870400]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Upromise TurboSaver: FFToolbar@upromise - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\extensions\FFToolbar@upromise
FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 21:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

LVPrcSrv.exe [11784]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2005747108-265105218-770747461-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ad,0a,cb,11,7d,d5,61,05,c0,bb,af,e0,78,2f,dd,01,60,75,72,29,30,8c,d5,
10,2b,7c,b1,7d,2f,66,a7,54,95,e7,33,8f,24,df,db,e3,9b,68,88,6e,9f,16,f7,5a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-2005747108-265105218-770747461-1000\Software\SecuROM\License information*]
"datasecu"=hex:90,33,0e,4a,14,04,4b,f2,b1,c2,d9,61,aa,f3,ee,ea,d3,0d,52,af,4a,
ff,fa,03,f4,d0,2a,c6,9c,a5,a5,06,5a,42,50,a2,74,77,40,75,71,1e,d8,f7,18,c6,\
"rkeysecu"=hex:cc,f4,92,e9,03,43,07,a5,be,88,15,1f,a2,23,b0,4b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8820)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nvshext.dll
c:\windows\system32\nvapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-11-28 22:05:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-29 03:05
ComboFix2.txt 2009-12-27 19:51

Pre-Run: 330,019,061,760 bytes free
Post-Run: 329,980,207,104 bytes free

- - End Of File - - 7CEBDCEB4F53F7F03E722863296AE468

rustygun01
2010-11-29, 06:16
I almost forgot to mention this: I'm pretty sure I know where the server.exe file came from. I'm pretty sure it was affiliated with a download I got from this site: http://minecraft.net/download.jsp

Minecraft is a game and the file that I downloaded allowed multi-player access by hosting a server. The file was coded by to work with the game and that game alone, which is why it probably came up as suspicious.

Jack&Jill
2010-11-29, 14:52
Hello rustygun01 :),

A few more steps and we will be done.

Regarding Windows Defender, I just wanted to make sure. If it is running OK, then there is no problem.

Good to know about the server.exe file. It's location is not a very good one, thus I wanted to find out if the file is malicious or otherwise.

About this folder; c:\windows\system32\world, do you have any idea which program is using it or what the folder is for?

--------------------


FF - Extension: Upromise TurboSaver: FFToolbar@upromise - c:\users\rusty\AppData\Roaming\Mozilla\Firefox\Profiles\gkru7vam.default\extensions\FFToolbar@upromise Have a look here (http://www.systemlookup.com/search.php?list=&type=name&search=Upromise+&s=) to see if you decide to keep this toolbar.

--------------------

I want you to update MBAM and run a scan.

Open MBAM and click on the Update tab, then Check for Updates.
When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please post back:
1. the answer to my question about the folder
2. MBAM report

rustygun01
2010-11-29, 21:49
The World folder is also associated with Minecraft.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5214

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/29/2010 2:40:47 PM
mbam-log-2010-11-29 (14-40-47).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 324523
Time elapsed: 1 hour(s), 19 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Jack&Jill
2010-11-30, 04:30
Hello rustygun01 :),

Please update your Adobe Reader to the latest.

Open Adobe Reader.
Go to Help on the pull down menu, then select Check for Updates....
Continue accordingly and close it when done.

--------------------

Your Java Runtime Environment is outdated. Older versions have security vulnerabilities that can be exploited.

Please update JRE to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Java(TM) 6 Update 13


Go to the Java SE download page. Click here. (http://java.sun.com/javase/downloads/index.jsp)
Look for JDK 6 Update 22 (JDK or JRE). Click the Download JRE button to the right.
Select Windows from the drop-down list for Platform.
Check I agree to the Java SE Runtime Environment 6u22 with JavaFX License Agreement after reading it, and click Continue >>. The page will refresh.
Under the Windows Offline Installation title, click on the link which says jre-6u22-windows-i586.exe and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Then, from your desktop, double click on the download to install the newest version. Reboot your computer.

--------------------

If you no longer use the Minecraft program, you may want to remove the files or folders associated with it.

Please post a new DDS log.

rustygun01
2010-12-01, 01:35
Sorry about the late response.


DDS (Ver_10-11-27.01) - NTFSx86
Run by rusty at 18:30:10.96 on Tue 11/30/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1868 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\rusty\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Upromise TurboSaver: FFToolbar@upromise - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\extensions\FFToolbar@upromise
FF - Extension: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\users\rusty\appdata\roaming\mozilla\firefox\profiles\gkru7vam.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-11-28 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-11-28 190416]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-4-1 21504]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-10-1 20328]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-2 33792]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-3-24 870400]
S1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-11-28 99792]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-11-28 340048]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-28 165584]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-28 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-28 50768]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
S2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2010-11-28 119200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-1 21504]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-4-1 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-30 21:00:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-30 21:00:41 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-30 20:46:18 -------- d-----w- c:\progra~2\McAfee Security Scan
2010-11-30 20:46:16 -------- d-----w- c:\program files\McAfee Security Scan
2010-11-30 07:23:44 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b1cafd54-5696-446c-8a49-d6f11722c769}\mpengine.dll
2010-11-29 18:20:27 -------- d-----w- c:\users\rusty\appdata\roaming\Malwarebytes
2010-11-29 18:20:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 18:20:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 18:20:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-29 18:20:19 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-29 03:55:32 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-29 03:55:31 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-29 03:54:44 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-29 03:54:40 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-11-29 03:54:05 38848 ----a-w- c:\windows\avastSS.scr
2010-11-29 03:54:05 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-11-29 03:05:27 -------- d-----w- c:\users\rusty\appdata\local\temp
2010-11-29 02:57:53 -------- d-----w- C:\$RECYCLE.BIN
2010-11-26 01:49:00 14352 ----a-w- c:\windows\system32\drivers\AtiPcie.sys
2010-11-24 21:42:48 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-23 07:39:01 -------- d-----w- c:\program files\VS Revo Group
2010-11-22 17:26:44 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-22 17:23:28 -------- d-----w- C:\MGADiagToolOutput
2010-11-21 20:46:58 -------- d-----w- C:\AdobeTemp
2010-11-11 20:38:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-10 17:49:36 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-10 17:49:36 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-08 12:46:04 -------- d-----w- c:\progra~2\Alwil Software
2010-11-07 21:13:48 15256 ----a-w- c:\users\rusty\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-06 21:40:50 -------- d-----w- c:\progra~2\Tunngle
2010-11-06 21:40:40 27136 ----a-w- c:\windows\system32\drivers\tap0901t.sys
2010-11-06 01:30:34 -------- d-----w- c:\users\rusty\.thumbnails
2010-11-02 14:41:24 -------- d-----w- c:\users\rusty\appdata\local\Minecraft_Tools_Team
2010-11-02 14:38:24 -------- d-----w- c:\users\rusty\appdata\roaming\mts

==================== Find3M ====================

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 06:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 06:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll

============= FINISH: 18:30:48.04 ===============

Jack&Jill
2010-12-01, 03:10
Hello rustygun01 :),

I see Avast installed, but not running. Did you disable it? It is alright to have it activated now as we are done. In fact, you should keep it active always unless you are asked to disable the Antivirus when receiving help. Even so, most of the time the unprotected period would be minimal.

As you already have Avast, I suggest you to uninstall McAfee Security Scan. It must have found its way to your computer when you are updating Adobe Reader.

--------------------

For Windows Vista or Windows 7, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please backup your registry with ERUNT.

Remove orphaned reg entries

Open Notepad. Copy and paste the following text into it:

@echo off
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" /f
del %0
Save it as OrpDel.bat on the desktop. Make sure the Save as type: is All Files (*.*).
Double click on OrpDel.bat to run it. Allow if prompted by any security software.

--------------------

Re-enable CD Emulation drivers

Double click on DeFogger.exe to run the tool.
The application window will appear.
Click the Re-enable button to re-enable your CD Emulation drivers.
Click Yes to continue.
A Finished! message will appear, then click OK.
DeFogger will now ask to reboot the machine, click OK.
Your CD Emulation drivers are now re-enabled.

If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.

Go to Start > Run.... Copy and paste the following text into the white box:
ComboFix /uninstall
Click OK.
Delete the CKScanner, GMER (s6j75x23.exe) and DeFogger files on your desktop.
Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows Vista (https://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsvista.mspx) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html) for some detail explanations.

3. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

5. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications. If you wish to use WinPatrol, please uninstall Spybot and Windows Defender. If you opt not to use it, you should choose one between Spybot and Windows Defender to keep, activate the real time protection and uninstall the other. Keeping only one prevents conflict and hogging of resources.

6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.

7. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.

8. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.

9. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

10. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

11. Also look up PC Safety and Security - What Do I Need? By Glaswegian (http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html), How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html), So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279) and Microsoft Online Safety (http://www.microsoft.com/protect/default.aspx).

Stay safe.

Jack&Jill
2010-12-05, 10:30
As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)