Results 1 to 9 of 9

Thread: can't update spybot, malwarebytes

  1. #1
    Junior Member
    Join Date
    Feb 2010
    Posts
    5

    Default

    I can't update spybot, malwarebytes or access safer networking site.

    This issue cropped up post removing a fake antivirus program. Initially this was done using a combination of rkill, spybot and pandascan.

    I ran these programs today,
    Pandascan - clean
    Spybot after directly downloading the lates defs - clean
    Kaspersky - was also blocked from updating this program but manually downloaded the latest version - also came up clean

    Any advice or help would be greatly appreciated.

    Hijackthis logfile
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:13 AM, on 2/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Opera\opera.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasecurity.com/activescan/index/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: forteManager.lnk = ?
    O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O15 - Trusted Zone: http://*.buy-security-essentials.com
    O15 - Trusted Zone: http://*.download-soft-package.com
    O15 - Trusted Zone: http://*.download-software-package.com
    O15 - Trusted Zone: http://*.get-key-se10.com
    O15 - Trusted Zone: *.intuit.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://onecare.live.com
    O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
    O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase1140.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC8C887D-B6E4-4792-B032-D79E476190B1}: NameServer = 93.188.163.219,93.188.161.25
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
    O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

    --
    End of file - 6133 bytes

    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2010/02/27 10:29
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP3
    ==================================================

    Drivers
    -------------------
    Name: 1394BUS.SYS
    Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
    Address: 0xB8118000 Size: 57344 File Visible: - Signed: -
    Status: -

    Name: ACPI.sys
    Image Path: ACPI.sys
    Address: 0xB7F79000 Size: 187776 File Visible: - Signed: -
    Status: -

    Name: ACPI_HAL
    Image Path: \Driver\ACPI_HAL
    Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
    Status: -

    Name: afd.sys
    Image Path: C:\WINDOWS\System32\drivers\afd.sys
    Address: 0xB3F0B000 Size: 138496 File Visible: - Signed: -
    Status: -

    Name: arp1394.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
    Address: 0xB76E1000 Size: 60800 File Visible: - Signed: -
    Status: -

    Name: atapi.sys
    Image Path: atapi.sys
    Address: 0xB7F31000 Size: 96512 File Visible: - Signed: -
    Status: -

    Name: atksgt.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys
    Address: 0xB356B000 Size: 271872 File Visible: - Signed: -
    Status: -

    Name: ATMFD.DLL
    Image Path: C:\WINDOWS\System32\ATMFD.DLL
    Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
    Status: -

    Name: audstub.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
    Address: 0xB8770000 Size: 3072 File Visible: - Signed: -
    Status: -

    Name: Beep.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
    Address: 0xB85F4000 Size: 4224 File Visible: - Signed: -
    Status: -

    Name: BOOTVID.dll
    Image Path: C:\WINDOWS\system32\BOOTVID.dll
    Address: 0xB84B8000 Size: 12288 File Visible: - Signed: -
    Status: -

    Name: Cdfs.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
    Address: 0xB7671000 Size: 63744 File Visible: - Signed: -
    Status: -

    Name: cdrom.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
    Address: 0xB81C8000 Size: 62976 File Visible: - Signed: -
    Status: -

    Name: CLASSPNP.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    Address: 0xB80E8000 Size: 53248 File Visible: - Signed: -
    Status: -

    Name: disk.sys
    Image Path: disk.sys
    Address: 0xB80D8000 Size: 36352 File Visible: - Signed: -
    Status: -

    Name: drmk.sys
    Image Path: C:\WINDOWS\system32\drivers\drmk.sys
    Address: 0xB82A8000 Size: 61440 File Visible: - Signed: -
    Status: -

    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xB3DB8000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xB861C000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: Dxapi.sys
    Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
    Address: 0xB85A0000 Size: 12288 File Visible: - Signed: -
    Status: -

    Name: dxg.sys
    Image Path: C:\WINDOWS\System32\drivers\dxg.sys
    Address: 0xBD000000 Size: 73728 File Visible: - Signed: -
    Status: -

    Name: dxgthk.sys
    Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
    Address: 0xB8795000 Size: 4096 File Visible: - Signed: -
    Status: -

    Name: fdc.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
    Address: 0xB84B0000 Size: 27392 File Visible: - Signed: -
    Status: -

    Name: Fips.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
    Address: 0xB76C1000 Size: 44544 File Visible: - Signed: -
    Status: -

    Name: fltmgr.sys
    Image Path: fltmgr.sys
    Address: 0xB7F11000 Size: 129792 File Visible: - Signed: -
    Status: -

    Name: Fs_Rec.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
    Address: 0xB85F2000 Size: 7936 File Visible: - Signed: -
    Status: -

    Name: ftdisk.sys
    Image Path: ftdisk.sys
    Address: 0xB7F49000 Size: 125056 File Visible: - Signed: -
    Status: -

    Name: hal.dll
    Image Path: C:\WINDOWS\system32\hal.dll
    Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
    Status: -

    Name: HDAudBus.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    Address: 0xB6E7B000 Size: 163840 File Visible: - Signed: -
    Status: -

    Name: HIDCLASS.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
    Address: 0xB8168000 Size: 36864 File Visible: - Signed: -
    Status: -

    Name: HIDPARSE.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
    Address: 0xB8418000 Size: 28672 File Visible: - Signed: -
    Status: -

    Name: hidusb.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
    Address: 0xB46B5000 Size: 10368 File Visible: - Signed: -
    Status: -

    Name: HTTP.sys
    Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
    Address: 0xB343A000 Size: 265728 File Visible: - Signed: -
    Status: -

    Name: I2CDriver.sys
    Image Path: C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys
    Address: 0xB8408000 Size: 32768 File Visible: - Signed: -
    Status: -

    Name: i8042prt.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
    Address: 0xB8208000 Size: 52480 File Visible: - Signed: -
    Status: -

    Name: imapi.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
    Address: 0xB81B8000 Size: 42112 File Visible: - Signed: -
    Status: -

    Name: intelppm.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
    Address: 0xB81A8000 Size: 36352 File Visible: - Signed: -
    Status: -

    Name: ipnat.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
    Address: 0xB3F7D000 Size: 152832 File Visible: - Signed: -
    Status: -

    Name: ipsec.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
    Address: 0xB40C4000 Size: 75264 File Visible: - Signed: -
    Status: -

    Name: isapnp.sys
    Image Path: isapnp.sys
    Address: 0xB80A8000 Size: 37248 File Visible: - Signed: -
    Status: -

    Name: kbdclass.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
    Address: 0xB8348000 Size: 24576 File Visible: - Signed: -
    Status: -

    Name: KDCOM.DLL
    Image Path: C:\WINDOWS\system32\KDCOM.DLL
    Address: 0xB85A8000 Size: 8192 File Visible: - Signed: -
    Status: -

    Name: kl1.sys
    Image Path: C:\WINDOWS\system32\drivers\kl1.sys
    Address: 0xB40D7000 Size: 5373952 File Visible: - Signed: -
    Status: -

    Name: klbg.sys
    Image Path: klbg.sys
    Address: 0xB8128000 Size: 53248 File Visible: - Signed: -
    Status: -

    Name: klif.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\klif.sys
    Address: 0xB4617000 Size: 331776 File Visible: - Signed: -
    Status: -

    Name: klim5.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\klim5.sys
    Address: 0xB8218000 Size: 40960 File Visible: - Signed: -
    Status: -

    Name: klmouflt.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\klmouflt.sys
    Address: 0xB8178000 Size: 36864 File Visible: - Signed: -
    Status: -

    Name: ks.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
    Address: 0xB6E58000 Size: 143360 File Visible: - Signed: -
    Status: -

    Name: KSecDD.sys
    Image Path: KSecDD.sys
    Address: 0xB7EE8000 Size: 92928 File Visible: - Signed: -
    Status: -

    Name: LGDispDrv.dll
    Image Path: C:\WINDOWS\System32\LGDispDrv.dll
    Address: 0xBD012000 Size: 28672 File Visible: - Signed: -
    Status: -

    Name: lirsgt.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
    Address: 0xB8468000 Size: 18048 File Visible: - Signed: -
    Status: -

    Name: mnmdd.SYS
    Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
    Address: 0xB85F6000 Size: 4224 File Visible: - Signed: -
    Status: -

    Name: mouclass.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
    Address: 0xB83A0000 Size: 23040 File Visible: - Signed: -
    Status: -

    Name: mouhid.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
    Address: 0xB46B1000 Size: 12160 File Visible: - Signed: -
    Status: -

    Name: MountMgr.sys
    Image Path: MountMgr.sys
    Address: 0xB80B8000 Size: 42368 File Visible: - Signed: -
    Status: -

    Name: mrxdav.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
    Address: 0xB36F0000 Size: 180608 File Visible: - Signed: -
    Status: -

    Name: mrxsmb.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
    Address: 0xB3E70000 Size: 455424 File Visible: - Signed: -
    Status: -

    Name: Msfs.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
    Address: 0xB83E8000 Size: 19072 File Visible: - Signed: -
    Status: -

    Name: msgpc.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
    Address: 0xB8258000 Size: 35072 File Visible: - Signed: -
    Status: -

    Name: mssmbios.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
    Address: 0xB7DD0000 Size: 15488 File Visible: - Signed: -
    Status: -

    Name: Mup.sys
    Image Path: Mup.sys
    Address: 0xB7E14000 Size: 105344 File Visible: - Signed: -
    Status: -

    Name: NDIS.sys
    Image Path: NDIS.sys
    Address: 0xB7E2E000 Size: 182656 File Visible: - Signed: -
    Status: -

    Name: ndistapi.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
    Address: 0xB7DD8000 Size: 10112 File Visible: - Signed: -
    Status: -

    Name: ndisuio.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
    Address: 0xB3A7C000 Size: 14592 File Visible: - Signed: -
    Status: -

    Name: ndiswan.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
    Address: 0xB6E10000 Size: 91520 File Visible: - Signed: -
    Status: -

    Name: NDProxy.SYS
    Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
    Address: 0xB8278000 Size: 40576 File Visible: - Signed: -
    Status: -

    Name: netbios.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
    Address: 0xB8158000 Size: 34688 File Visible: - Signed: -
    Status: -

    Name: netbt.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
    Address: 0xB3F55000 Size: 162816 File Visible: - Signed: -
    Status: -

    Name: nic1394.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
    Address: 0xB81D8000 Size: 61824 File Visible: - Signed: -
    Status: -

    Name: Npfs.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
    Address: 0xB83F0000 Size: 30848 File Visible: - Signed: -
    Status: -

    Name: Ntfs.sys
    Image Path: Ntfs.sys
    Address: 0xB7E5B000 Size: 574976 File Visible: - Signed: -
    Status: -

    Name: ntkrnlpa.exe
    Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
    Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
    Status: -

    Name: Null.SYS
    Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
    Address: 0xB87A4000 Size: 2944 File Visible: - Signed: -
    Status: -

    Name: nv4_disp.dll
    Image Path: C:\WINDOWS\System32\nv4_disp.dll
    Address: 0xBD019000 Size: 5902336 File Visible: - Signed: -
    Status: -

    Name: nv4_mini.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    Address: 0xB6EDB000 Size: 7655872 File Visible: - Signed: -
    Status: -

    Name: ohci1394.sys
    Image Path: ohci1394.sys
    Address: 0xB8108000 Size: 61696 File Visible: - Signed: -
    Status: -

    Name: parport.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
    Address: 0xB6E27000 Size: 80128 File Visible: - Signed: -
    Status: -

    Name: PartMgr.sys
    Image Path: PartMgr.sys
    Address: 0xB8330000 Size: 19712 File Visible: - Signed: -
    Status: -

    Name: ParVdm.SYS
    Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
    Address: 0xB866C000 Size: 6784 File Visible: - Signed: -
    Status: -

    Name: pavboot.sys
    Image Path: pavboot.sys
    Address: 0xB8338000 Size: 21888 File Visible: - Signed: -
    Status: -

    Name: pci.sys
    Image Path: pci.sys
    Address: 0xB7F68000 Size: 68224 File Visible: - Signed: -
    Status: -

    Name: pciide.sys
    Image Path: pciide.sys
    Address: 0xB8670000 Size: 3328 File Visible: - Signed: -
    Status: -

    Name: PCIIDEX.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    Address: 0xB8328000 Size: 28672 File Visible: - Signed: -
    Status: -

    Name: PnpManager
    Image Path: \Driver\PnpManager
    Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
    Status: -

    Name: portcls.sys
    Image Path: C:\WINDOWS\system32\drivers\portcls.sys
    Address: 0xB46FD000 Size: 147456 File Visible: - Signed: -
    Status: -

    Name: psched.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
    Address: 0xB6DFF000 Size: 69120 File Visible: - Signed: -
    Status: -

    Name: ptilink.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
    Address: 0xB8390000 Size: 17792 File Visible: - Signed: -
    Status: -

    Name: PxHelp20.sys
    Image Path: PxHelp20.sys
    Address: 0xB80F8000 Size: 37376 File Visible: - Signed: -
    Status: -

    Name: rasacd.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
    Address: 0xB7DEC000 Size: 8832 File Visible: - Signed: -
    Status: -

    Name: rasl2tp.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
    Address: 0xB8228000 Size: 51328 File Visible: - Signed: -
    Status: -

    Name: raspppoe.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
    Address: 0xB8238000 Size: 41472 File Visible: - Signed: -
    Status: -

    Name: raspptp.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
    Address: 0xB8248000 Size: 48384 File Visible: - Signed: -
    Status: -

    Name: raspti.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
    Address: 0xB8398000 Size: 16512 File Visible: - Signed: -
    Status: -

    Name: RAW
    Image Path: \FileSystem\RAW
    Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
    Status: -

    Name: rdbss.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
    Address: 0xB3EE0000 Size: 175744 File Visible: - Signed: -
    Status: -

    Name: RDPCDD.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
    Address: 0xB85F8000 Size: 4224 File Visible: - Signed: -
    Status: -

    Name: redbook.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
    Address: 0xB81E8000 Size: 57600 File Visible: - Signed: -
    Status: -

    Name: RivaTuner32.sys
    Image Path: C:\Program Files\RivaTuner v2.11\RivaTuner32.sys
    Address: 0xB2DD7000 Size: 9088 File Visible: - Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xB2F43000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: Rtenicxp.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    Address: 0xB6E3B000 Size: 117888 File Visible: - Signed: -
    Status: -

    Name: RtkHDAud.sys
    Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
    Address: 0xB4721000 Size: 5197824 File Visible: - Signed: -
    Status: -

    Name: serenum.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
    Address: 0xB7DE4000 Size: 15744 File Visible: - Signed: -
    Status: -

    Name: serial.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
    Address: 0xB81F8000 Size: 64512 File Visible: - Signed: -
    Status: -

    Name: sr.sys
    Image Path: sr.sys
    Address: 0xB7EFF000 Size: 73472 File Visible: - Signed: -
    Status: -

    Name: srv.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
    Address: 0xB3393000 Size: 353792 File Visible: - Signed: -
    Status: -

    Name: swenum.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
    Address: 0xB85DC000 Size: 4352 File Visible: - Signed: -
    Status: -

    Name: sysaudio.sys
    Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
    Address: 0xB7691000 Size: 60800 File Visible: - Signed: -
    Status: -

    Name: tcpip.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
    Address: 0xB3FA3000 Size: 361600 File Visible: - Signed: -
    Status: -

    Name: TDI.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
    Address: 0xB83C8000 Size: 20480 File Visible: - Signed: -
    Status: -

    Name: termdd.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
    Address: 0xB8268000 Size: 40704 File Visible: - Signed: -
    Status: -

    Name: update.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
    Address: 0xB6DA1000 Size: 384768 File Visible: - Signed: -
    Status: -

    Name: USBD.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
    Address: 0xB85E0000 Size: 8192 File Visible: - Signed: -
    Status: -

    Name: usbehci.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
    Address: 0xB84A8000 Size: 30208 File Visible: - Signed: -
    Status: -

    Name: usbhub.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
    Address: 0xB8298000 Size: 59520 File Visible: - Signed: -
    Status: -

    Name: USBPORT.SYS
    Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
    Address: 0xB6EA3000 Size: 147456 File Visible: - Signed: -
    Status: -

    Name: USBSTOR.SYS
    Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    Address: 0xB83D0000 Size: 26368 File Visible: - Signed: -
    Status: -

    Name: usbuhci.sys
    Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    Address: 0xB84A0000 Size: 20608 File Visible: - Signed: -
    Status: -

    Name: vga.sys
    Image Path: C:\WINDOWS\System32\drivers\vga.sys
    Address: 0xB83E0000 Size: 20992 File Visible: - Signed: -
    Status: -

    Name: VIDEOPRT.SYS
    Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
    Address: 0xB6EC7000 Size: 81920 File Visible: - Signed: -
    Status: -

    Name: VolSnap.sys
    Image Path: VolSnap.sys
    Address: 0xB80C8000 Size: 52352 File Visible: - Signed: -
    Status: -

    Name: wanarp.sys
    Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
    Address: 0xB8318000 Size: 34560 File Visible: - Signed: -
    Status: -

    Name: watchdog.sys
    Image Path: C:\WINDOWS\System32\watchdog.sys
    Address: 0xB8430000 Size: 20480 File Visible: - Signed: -
    Status: -

    Name: wdmaud.sys
    Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
    Address: 0xB380B000 Size: 83072 File Visible: - Signed: -
    Status: -

    Name: Win32k
    Image Path: \Driver\Win32k
    Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
    Status: -

    Name: win32k.sys
    Image Path: C:\WINDOWS\System32\win32k.sys
    Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
    Status: -

    Name: WMILIB.SYS
    Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
    Address: 0xB85AA000 Size: 8192 File Visible: - Signed: -
    Status: -

    Name: WMIxWDM
    Image Path: \Driver\WMIxWDM
    Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
    Status: -

    Name: ws2ifsl.sys
    Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
    Address: 0xB46ED000 Size: 12032 File Visible: - Signed: -
    Status: -

    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Last edited by tashi; 2010-02-27 at 20:45. Reason: Merged two posts, please read forum FAQ, link provided. ;-)

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please note that all instructions given are customised for this computer only,
    the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.


    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. Please Read All Instructions Carefully
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you
    4. Failure to reply within 5 days will result in the topic being closed.
    5. Please continue to respond until I give you the "All Clear"
      (Just because you can't see a problem doesn't mean it isn't there)

    If you can do those few things, everything should go smoothly

    Some of the logs I request will be quite large, You may need to split them over a couple of replies.

    Please Note, your security programs may give warnings for some of the tools I will ask you to use.
    Be assured, any links I give are safe

    ----------------------------------------------------------------------------------------



    Download and Run RSIT
    • Please download Random's System Information Tool by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open:
      • log.txt will be opened maximized.
      • info.txt will be opened minimized.
    • Please post the contents of both log.txt and info.txt.
      ( They can also be found in the C:\RSIT folder )



    GMER Rootkit Detector

    Please download GMER Rootkit Scanner from Here or Here

    ***Please close any open programs ***
    • Extract the contents of the zip file to your desktop.
    • Disable your onboard Anti Virus and any other Active protection programs you have installed.
    • Double-click gmer.exe. The program will begin to run.

      Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again


    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO,
    • Now use the following settings for a more complete scan..


      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once the scan is complete, you may receive another notice about rootkit activity. If you recive it, click OK.
    • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.



    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    ----------------------------------------------------------------------------------------
    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    Some of the logs I request will be quite large, You may need to split them over a couple of replies.
    • RSIT Logs
    • GMER Log
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  3. #3
    Junior Member
    Join Date
    Feb 2010
    Posts
    5

    Default

    Thanks for the help,

    info.txt logfile of random's system information tool 1.06 2010-03-03 20:02:48

    ======Uninstall list======

    -->MsiExec /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    3ds max 7 Additional Maps and Materials-->MsiExec.exe /I{5EB4C5CA-962C-486B-81FF-A41B7B8FFBEC}
    3ds max 7 Architectural Materials-->MsiExec.exe /I{54199443-342B-4162-B10D-CAA1C211E7A6}
    3ds max 7 Reference Files-->MsiExec.exe /I{E5F6E1A6-44AA-4CF7-883E-4F7FA7C4BCA5}
    3ds max 7-->MsiExec.exe /I{F92AB933-9FE7-4335-92BD-D1C3BA27613C}
    7-Zip 4.65-->MsiExec.exe /I{23170F69-40C1-2701-0465-000001000000}
    Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
    Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
    Baldur's Gate(TM) II - Throne of Bhaal (TM)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
    Battlefield 1942: Secret Weapons of WWII-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.exe" -l0x9
    Battlefield 1942: The Road To Rome-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.exe" -l0x9
    Battlefield 1942-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
    Battlefield 2142-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
    Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
    Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch-->C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
    Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
    Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch-->C:\Program Files\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe -runfromtemp -l0x0409
    CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
    Cheetah Quick Burner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5E2F44D-7907-4ED5-B409-89ECC61C454C}\Setup.exe"
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{14574B7F-75D1-4718-B7F2-EBF6E2862A35}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{199E6632-EB28-4F73-AECB-3E192EB92D18}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{25724802-CC14-4B90-9F3B-3D6955EE27B1}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{50193078-F553-4EBA-AA77-64C9FAA12F98}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{51D718D1-DA81-4FAD-919F-5C1CE3C33379}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{66F78C51-D108-4F0C-A93C-1CBE74CE338F}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{80D03817-7943-4839-8E96-B9F924C5E67D}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{97E5205F-EA4F-438F-B211-F1846419F1C1}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{99A7722D-9ACB-43F3-A222-ABC7133F159E}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{BA801B94-C28D-46EE-B806-E1E021A3D519}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{D4D244D1-05E0-4D24-86A2-B2433C435671}
    Company of Heroes - FAKEMSI-->MsiExec.exe /I{EAF636A9-F664-4703-A659-85A894DA264F}
    Company of Heroes-->"O:\Program Files\THQ\Company of Heroes\Uninstall_English.exe"
    Counter-Strike: Source-->"O:\Program Files\Steam\steam.exe" steam://uninstall/240
    Day of Defeat: Source-->"O:\Program Files\Steam\steam.exe" steam://uninstall/300
    Deus Ex - Invisible War-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{47BE1E5F-8978-484B-BE86-B616C00EA75A}\Setup.exe" -l0x9
    Deus Ex-->o:\DeusEx\System\Setup.exe uninstall "Deus Ex"
    Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
    Diablo-->C:\WINDOWS\DiabUnin.exe C:\WINDOWS\DiabUnin.dat
    Dragon Age: Origins-->C:\Program Files\Common Files\BioWare\Uninstall Dragon Age.exe
    DriverCD-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GIGABYTE\DriverCD\Uninst.isu"
    Elven Legacy: patch 1.0.9.2-->"o:\Program Files\Paradox Interactive\Elven Legacy\unins000.exe"
    ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
    Europa Universalis III-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59C80C5E-8C92-40FF-B910-2BB5C7281F61}\Setup.exe" -l0x9
    FallenEarth-->MsiExec.exe /X{82448C0D-FB2A-4E10-9F2C-F404F067A85B}
    Fallout-->C:\WINDOWS\ipuninst.exe -fO:\Program Files\Interplay\Fallout\uninst.log
    Fallout2-->C:\WINDOWS\ipuninst.exe -fO:\Program Files\BlackIsle\Fallout2\uninst.log
    FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
    forteManager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA6FAB8D-E87A-4E8E-A3D3-B7B9F479C725}\setup.exe" -l0x9 -removeonly
    Half-Life 2: Episode One-->"O:\Program Files\Steam\steam.exe" steam://uninstall/380
    Half-Life 2: Episode Two-->"O:\Program Files\Steam\steam.exe" steam://uninstall/420
    Half-Life 2: Lost Coast-->"O:\Program Files\Steam\steam.exe" steam://uninstall/340
    Half-Life 2-->"O:\Program Files\Steam\steam.exe" steam://uninstall/220
    Handbrake 0.9.4-->C:\Program Files\Handbrake\uninst.exe
    Heroes of Might & Magic V: Hammers of Fate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4272516D-0E81-48EF-AB66-7F6E28B4A615}\setup.exe" -l0x9
    Heroes of Might and Magic V - Tribes of the East-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200092}\setup.exe" -l0x9
    Heroes of Might and Magic V-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28101984-0BA6-40FD-9ABE-72F62F80C06C}\setup.exe" -l0x9
    High Definition Audio Driver Package - KB888111-->C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
    HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
    Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
    Imperium Galactica 2-->C:\WINDOWS\IsUninst.exe -fo:\Uninst.isu
    In Nomine 3.1-->"O:\Program Files\Paradox Interactive\Europa Universalis III\unins000.exe"
    Jade Empire-->C:\WINDOWS\Uninstall Jade Empire.exe
    Jagged Alliance 2 Gold - 1.12-->C:\PROGRA~1\STRATE~1\JAGGED~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\JAGGED~1\INSTALL.LOG
    Jagged Alliance 2 Unfinished Business-->C:\PROGRA~1\STRATE~1\JAGGED~2\UNWISE.EXE C:\PROGRA~1\STRATE~1\JAGGED~2\INSTALL.LOG
    Jagged Alliance 2-->"c:\Program Files\Strategy First\Jagged Alliance 2\unins000.exe"
    Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    Kaspersky Anti-Virus 2010-->MsiExec.exe /I{943B6738-4801-4982-90EC-0442EF7AEB16}
    Kaspersky Anti-Virus 2010-->MsiExec.exe /I{943B6738-4801-4982-90EC-0442EF7AEB16}
    King's Bounty - The Legend-->"O:\Program Files\Steam\steam.exe" steam://uninstall/25900
    King's Bounty: Armored Princess-->"O:\Program Files\Steam\steam.exe" steam://uninstall/3170
    K-Lite Mega Codec Pack 5.5.1-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
    LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
    LightScribe System Software-->MsiExec.exe /X{10CCF16B-F1C9-4B24-9570-B4CCEE42392D}
    LizardTech DjVu Control-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
    Malwarebytes' Anti-Malware-->"C:\Program Files\mb-Anti-Malware\unins000.exe"
    Max Payne 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}\Setup.exe" -l0x9
    Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
    Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
    Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
    Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
    Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
    Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
    Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
    Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411-->MsiExec.exe /X{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}
    Mount and Blade-->"O:\Program Files\Steam\steam.exe" steam://uninstall/22100
    Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    Neverwinter Nights 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
    Nexus: The Jupiter Incident-->MsiExec.exe /I{2DD0D38E-EBAD-4DB4-B1EF-FE095E30754C}
    NHL Eastside Hockey Manager 2007-->MsiExec.exe /X{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}
    NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
    NVIDIA ForceWare Network Access Manager-->"C:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly
    NVIDIA ForceWare Network Access Manager-->MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}
    NVIDIA PhysX-->MsiExec.exe /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
    OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
    OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
    Opera 10.10-->MsiExec.exe /X{690BE098-6D0D-493D-B079-BD7E8F81A141}
    Painkiller Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B943BACA-E1F7-4E6B-8D79-7FB439542727}\Setup.exe" -l0x9 -removeonly
    Paint.NET v3.35-->MsiExec.exe /X{20AC583C-A6FB-410A-807D-25308225C201}
    Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
    Peggle Extreme-->"O:\Program Files\Steam\steam.exe" steam://uninstall/3483
    Portal-->"O:\Program Files\Steam\steam.exe" steam://uninstall/400
    QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
    Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
    Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
    RivaTuner v2.11-->"C:\Program Files\RivaTuner v2.11\uninstall.exe"
    S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0006]-->"O:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\unins000.exe"
    Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
    Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
    Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
    Silent Hunter Wolves of the Pacific-->C:\Program Files\InstallShield Installation Information\{0D005F09-A5F4-473B-A901-5735C6AF5628}\Setup.exe -runfromtemp -l0x0009 -removeonly
    Space Empires V-->"O:\Program Files\Strategy First\Malfador Machinations\Space Empires V\unins000.exe"
    Spybot - Search & Destroy-->"C:\Program Files\Spybot-Search_Destroy\unins000.exe"
    Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
    SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    Team Fortress 2-->"O:\Program Files\Steam\steam.exe" steam://uninstall/440
    The Witcher-->"C:\Program Files\InstallShield Installation Information\{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}\setup.exe" -runfromtemp -l0x0009 -removeonly
    TheWarlords-->C:\Program Files\InstallShield Installation Information\{BF316153-6B37-4B59-99BB-2EE1DDE60CC8}\setup.exe -runfromtemp -l0x0009 -removeonly
    Torchlight-->"O:\Program Files\Steam\steam.exe" steam://uninstall/41500
    Trillian-->o:\Program Files\Trillian\trillian.exe /uninstall
    TurboTax 2008 WinPerFedFormset-->MsiExec.exe /I{7570F1CA-016D-46AC-B586-CD74645EFB52}
    TurboTax 2008 WinPerProgramHelp-->MsiExec.exe /I{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}
    TurboTax 2008 WinPerReleaseEngine-->MsiExec.exe /I{88214092-836F-4E22-A5AC-569AC9EE6A0F}
    TurboTax 2008 WinPerTaxSupport-->MsiExec.exe /I{B23726CF-68BF-41A6-A4EB-72F12F87FE05}
    TurboTax 2008 WinPerUserEducation-->MsiExec.exe /I{29521505-F489-4822-ADFA-32C6DEE4F114}
    TurboTax 2008 wrapper-->MsiExec.exe /I{B1DB1AD8-C07E-4052-81A1-D2930232BA70}
    TurboTax 2008-->C:\Program Files\TurboTax\Premier 2008\Installer\TurboTax 2008 Installer.exe /u /t /a
    UFO Extraterrestrials-->"C:\WINDOWS\UFO Extraterrestrials\uninstall.exe" "/U:o:\Tri Synergy\UFO Extraterrestrials\Uninstall\uninstall.xml"
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
    Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
    Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
    Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
    Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
    Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
    Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
    Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
    Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
    Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
    Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
    Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
    Vendetta Online-->"o:\Program Files\Vendetta Online\unins000.exe"
    VZAccess Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
    Winamp-->"o:\Winamp\UninstWA.exe"
    Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
    Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
    Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
    Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
    Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
    Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
    WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
    WinUndelete-->C:\PROGRA~1\WINUND~1\UNWISE.EXE C:\PROGRA~1\WINUND~1\INSTALL.LOG
    WinZip 14.0-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}
    Xbox 360 Controller for Windows-->"C:\WINDOWS\$NtUninstall_Xbox_360_CC_Driver$\spuninst\spuninst.exe"

    =====HijackThis Backups=====

    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing) [2008-12-06]
    R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL (file missing) [2008-12-06]
    O4 - HKCU\..\RunOnce: [SpybotDeletingB8933] command /c del "C:\WINDOWS\system32\myvlwofl.dll_old" [2008-12-06]
    O4 - HKLM\..\RunOnce: [SpybotDeletingC8488] cmd /c del "C:\WINDOWS\system32\myvlwofl.dll_old" [2008-12-06]
    O4 - HKCU\..\RunOnce: [SpybotDeletingD4676] cmd /c del "C:\WINDOWS\system32\myvlwofl.dll_old" [2008-12-06]
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7007] command /c del "C:\WINDOWS\system32\myvlwofl.dll_old" [2008-12-06]
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-12-06]
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2008-12-06]
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-12-06]
    O20 - AppInit_DLLs: yhkjyk.dll [2008-12-06]
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [2008-12-06]
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2008-12-06]
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2008-12-06]
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1215144974308 [2008-12-06]
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab [2008-12-06]
    O2 - BHO: (no name) - {8AA7E56C-561C-4697-A7E8-3977FE47762A} - (no file) [2009-05-19]

    ======Hosts File======

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    ======Security center information======

    AV: Kaspersky Anti-Virus (disabled)

    ======System event log======

    Computer Name: NEURALINTERFACE
    Event Code: 1003
    Message: Your computer was not able to renew its address from the network (from the
    DHCP Server) for the Network Card with network address 00241DC36264. The following
    error occurred:
    The operation was canceled by the user.
    .
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.

    Record Number: 220612
    Source Name: Dhcp
    Time Written: 20100109082008.000000-480
    Event Type: warning
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 34
    Message: The time service has detected that the system time needs to be
    changed by -57614 seconds. The time service will not change the system
    time by more than -54000 seconds. Verify that your time and time zone
    are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.0.100:123->207.46.232.182:123) is working properly.

    Record Number: 220607
    Source Name: W32Time
    Time Written: 20100108152500.000000-480
    Event Type: error
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 4226
    Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Record Number: 220560
    Source Name: Tcpip
    Time Written: 20100106103749.000000-480
    Event Type: warning
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 4226
    Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Record Number: 220514
    Source Name: Tcpip
    Time Written: 20100105132928.000000-480
    Event Type: warning
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 4226
    Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Record Number: 220513
    Source Name: Tcpip
    Time Written: 20100105131129.000000-480
    Event Type: warning
    User:

    =====Application event log=====

    Computer Name: NEURALINTERFACE
    Event Code: 1005
    Message: Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 24 days.


    Record Number: 206
    Source Name: Windows Product Activation
    Time Written: 20080710174753.000000-420
    Event Type: warning
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 1000
    Message: Faulting application ja2.exe, version 1.1.2.0, faulting module mss32.dll, version 3.0.0.0, fault address 0x00001c52.

    Record Number: 204
    Source Name: Application Error
    Time Written: 20080707231716.000000-420
    Event Type: error
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 1000
    Message: Faulting application ja2.exe, version 1.1.2.0, faulting module mss32.dll, version 3.0.0.0, fault address 0x00001c52.

    Record Number: 202
    Source Name: Application Error
    Time Written: 20080707202009.000000-420
    Event Type: error
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 1005
    Message: Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 27 days.


    Record Number: 201
    Source Name: Windows Product Activation
    Time Written: 20080707173846.000000-420
    Event Type: warning
    User:

    Computer Name: NEURALINTERFACE
    Event Code: 1517
    Message: Windows saved user NEURALINTERFACE\Roy P McCormack registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

    Record Number: 200
    Source Name: Userenv
    Time Written: 20080706232356.000000-420
    Event Type: warning
    User: NT AUTHORITY\SYSTEM

    ======Environment variables======

    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Autodesk Shared;C:\Program Files\backburner 2;C:\Program Files\QuickTime\QTSystem
    "windir"=%SystemRoot%
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=6
    "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
    "PROCESSOR_REVISION"=1706
    "NUMBER_OF_PROCESSORS"=2
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    "FP_NO_HOST_CHECK"=NO
    "CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
    "QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

    -----------------EOF-----------------

  4. #4
    Junior Member
    Join Date
    Feb 2010
    Posts
    5

    Default

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by ... at 2010-03-03 20:02:37
    Microsoft Windows XP Home Edition Service Pack 3
    System drive C: has 23 GB (18%) free of 131 GB
    Total RAM: 3582 MB (85% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:02:46 PM, on 3/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Opera\opera.exe
    C:\Documents and Settings\Roy P McCormack\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Roy P McCormack.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasecurity.com/activescan/index/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: forteManager.lnk = ?
    O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O15 - Trusted Zone: http://*.buy-security-essentials.com
    O15 - Trusted Zone: http://*.download-soft-package.com
    O15 - Trusted Zone: http://*.download-software-package.com
    O15 - Trusted Zone: http://*.get-key-se10.com
    O15 - Trusted Zone: *.intuit.com
    O15 - Trusted Zone: http://*.is-software-download.com
    O15 - Trusted Zone: http://onecare.live.com
    O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
    O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase1140.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC8C887D-B6E4-4792-B032-D79E476190B1}: NameServer = 93.188.163.219,93.188.161.25
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
    O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

    --
    End of file - 6249 bytes

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
    IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll [2009-10-20 68112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}]
    FilterBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll [2009-10-20 268816]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "RivaTunerStartupDaemon"=C:\Program Files\RivaTuner v2.11\RivaTuner.exe [2008-09-16 2715648]
    "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-01-12 18084864]
    "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-09-27 86016]
    "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-09-27 13918208]
    "ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-04-17 196608]
    "ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-04-13 69632]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    O:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2009-01-06 413696]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTuner]
    C:\Program Files\RivaTuner v2.11\RivaTuner.exe [2008-09-16 2715648]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    C:\PROGRA~1\WinZip\WZQKPICK.EXE [2009-11-18 495432]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Roy P McCormack^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
    C:\PROGRA~1\OPENOF~1.ORG\program\QUICKS~1.EXE [2008-09-12 384000]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3
    "PnkBstrB"=2
    "PnkBstrA"=2

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    forteManager.lnk - C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
    C:\WINDOWS\system32\klogon.dll [2009-10-20 219664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=323
    "NoDriveAutoRun"=67108863
    "NoDrives"=0

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveAutoRun"=
    "NoDriveTypeAutoRun"=
    "NoDrives"=
    "HonorAutoRunSetting"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "O:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe"="O:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
    "O:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe"="O:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
    "C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
    "C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
    "O:\3dsmax7\3dsmax.exe"="O:\3dsmax7\3dsmax.exe:*:Enabled:3ds max 7"
    "C:\Program Files\backburner 2\monitor.exe"="C:\Program Files\backburner 2\monitor.exe:*:Enabled:backburner 2.3 monitor"
    "C:\Program Files\backburner 2\manager.exe"="C:\Program Files\backburner 2\manager.exe:*:Enabled:backburner 2.3 manager"
    "C:\Program Files\backburner 2\server.exe"="C:\Program Files\backburner 2\server.exe:*:Enabled:backburner 2.3 server"
    "O:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe"="O:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
    "O:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="O:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
    "O:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe"="O:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
    "O:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe"="O:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
    "O:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe"="O:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2"
    "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
    "o:\Program Files\JoWood\Painkiller Overdose\Bin\Overdose.exe"="o:\Program Files\JoWood\Painkiller Overdose\Bin\Overdose.exe:*:Enabled:Painkiller Overdose"
    "o:\Program Files\JoWood\Painkiller Overdose\Bin\OverdoseEditor.exe"="o:\Program Files\JoWood\Painkiller Overdose\Bin\OverdoseEditor.exe:*:Enabled:Painkiller Overdose Editor"
    "o:\Program Files\JoWood\Painkiller Overdose\Bin\OverdoseServer.exe"="o:\Program Files\JoWood\Painkiller Overdose\Bin\OverdoseServer.exe:*:Enabled:Painkiller Overdose Console Server"
    "O:\Program Files\Paradox Interactive\Elven Legacy\ElvenLegacy.exe"="O:\Program Files\Paradox Interactive\Elven Legacy\ElvenLegacy.exe:*:Enabled:Elven Legacy"
    "%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"
    "C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
    "C:\Program Files\Dragon Age\bin_ship\daorigins.exe"="C:\Program Files\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Origins Game"
    "C:\Program Files\Dragon Age\DAOriginsLauncher.exe"="C:\Program Files\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Launcher"
    "C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe"="C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater"
    "O:\Program Files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe"="O:\Program Files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme"
    "O:\Program Files\Steam\SteamApps\common\king's bounty - the legend\kb.exe"="O:\Program Files\Steam\SteamApps\common\king's bounty - the legend\kb.exe:*:Enabled:King's Bounty - The Legend"
    "O:\Program Files\Steam\SteamApps\common\king's bounty - the legend\save_fixer.exe"="O:\Program Files\Steam\SteamApps\common\king's bounty - the legend\save_fixer.exe:*:Enabled:King's Bounty - The Legend"
    "O:\Program Files\Steam\SteamApps\common\kings bounty armored princess\kb.exe"="O:\Program Files\Steam\SteamApps\common\kings bounty armored princess\kb.exe:*:Enabled:King's Bounty: Armored Princess"
    "O:\Program Files\Steam\SteamApps\common\torchlight\Torchlight.exe"="O:\Program Files\Steam\SteamApps\common\torchlight\Torchlight.exe:*:Enabled:Torchlight"
    "O:\Program Files\Steam\SteamApps\common\mount and blade\runme.exe"="O:\Program Files\Steam\SteamApps\common\mount and blade\runme.exe:*:Enabled:Mount and Blade"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "%windir%\system32\drivers\svchost.exe"="%windir%\system32\drivers\svchost.exe:*:Enabled:svchost"

    ======List of files/folders created in the last 1 months======

    2010-03-03 20:02:37 ----D---- C:\rsit
    2010-03-03 19:54:33 ----D---- C:\Program Files\Spybot-Search_Destroy
    2010-03-03 19:37:04 ----D---- C:\Program Files\ERUNT
    2010-02-27 16:04:46 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-27 16:04:34 ----D---- C:\Program Files\SUPERAntiSpyware
    2010-02-27 16:04:34 ----D---- C:\Documents and Settings\Roy P McCormack\Application Data\SUPERAntiSpyware.com
    2010-02-27 08:33:36 ----D---- C:\Program Files\Kaspersky Lab
    2010-02-27 08:33:36 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2010-02-27 08:32:15 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-02-27 08:16:33 ----D---- C:\Program Files\mb-Anti-Malware
    2010-02-27 07:45:39 ----D---- C:\Documents and Settings\Roy P McCormack\Application Data\Malwarebytes
    2010-02-27 07:28:08 ----SHD---- C:\RECYCLER
    2010-02-27 07:23:23 ----D---- C:\Program Files\CCleaner
    2010-02-27 02:26:36 ----A---- C:\ComboFix.txt
    2010-02-27 01:49:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2010-02-20 13:11:59 ----D---- C:\Program Files\Mozilla Firefox
    2010-02-20 00:25:55 ----A---- C:\WINDOWS\MBR.exe
    2010-02-20 00:24:29 ----A---- C:\WINDOWS\system32\CF22472.exe
    2010-02-18 22:20:30 ----D---- C:\Documents and Settings\Roy P McCormack\Application Data\Help
    2010-02-18 18:00:03 ----D---- C:\Documents and Settings\Roy P McCormack\Application Data\Datel
    2010-02-14 11:48:36 ----A---- C:\WINDOWS\ABC_mru.ini
    2010-02-13 12:35:38 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
    2010-02-13 12:35:31 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
    2010-02-13 12:33:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
    2010-02-13 12:33:05 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
    2010-02-13 12:33:01 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
    2010-02-13 12:32:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
    2010-02-13 12:32:50 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
    2010-02-13 12:32:41 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$

    ======List of files/folders modified in the last 1 months======

    2010-03-03 20:02:44 ----D---- C:\WINDOWS\Prefetch
    2010-03-03 19:54:38 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-03 19:54:33 ----RD---- C:\Program Files
    2010-03-03 19:52:45 ----D---- C:\WINDOWS
    2010-03-03 19:37:38 ----D---- C:\WINDOWS\ERDNT
    2010-03-03 07:13:45 ----N---- C:\WINDOWS\SchedLgU.Txt
    2010-02-27 18:25:48 ----D---- C:\WINDOWS\system32
    2010-02-27 16:44:01 ----D---- C:\WINDOWS\system32\CatRoot2
    2010-02-27 16:04:43 ----SHD---- C:\WINDOWS\Installer
    2010-02-27 16:04:11 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2010-02-27 10:29:43 ----D---- C:\WINDOWS\system32\drivers
    2010-02-27 09:52:50 ----RASH---- C:\boot.ini
    2010-02-27 09:52:50 ----A---- C:\WINDOWS\win.ini
    2010-02-27 09:52:50 ----A---- C:\WINDOWS\system.ini
    2010-02-27 08:34:56 ----SHD---- C:\System Volume Information
    2010-02-27 08:34:18 ----HD---- C:\WINDOWS\inf
    2010-02-27 07:28:24 ----D---- C:\WINDOWS\Debug
    2010-02-27 07:28:23 ----D---- C:\WINDOWS\Minidump
    2010-02-27 07:18:00 ----D---- C:\WINDOWS\pss
    2010-02-27 02:21:22 ----D---- C:\WINDOWS\system32\config
    2010-02-27 02:20:21 ----D---- C:\WINDOWS\AppPatch
    2010-02-27 02:20:18 ----D---- C:\Program Files\Common Files
    2010-02-26 17:57:04 ----A---- C:\WINDOWS\CDPLAYER.INI
    2010-02-20 11:40:28 ----A---- C:\WINDOWS\system32\wpa.bak
    2010-02-20 00:39:42 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2010-02-20 00:21:05 ----A---- C:\VundoFix.txt
    2010-02-18 19:16:07 ----D---- C:\Documents and Settings
    2010-02-13 12:35:37 ----HD---- C:\WINDOWS\$hf_mig$

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 kl1;Kl1; \??\C:\WINDOWS\system32\drivers\kl1.sys []
    R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2010-02-27 315408]
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
    R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-07-05 278984]
    R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-07-05 25416]
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
    R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-01-20 5027840]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINDOWS\system32\DRIVERS\klim5.sys [2009-09-14 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT; C:\WINDOWS\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
    R3 LGDDCDevice;LGDDCDevice; \??\C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys []
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-09-27 7655872]
    R3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.11\RivaTuner32.sys []
    R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-10-30 117888]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    S3 ADIDTSFiltService;ADI DTS Filter Service; C:\WINDOWS\system32\drivers\adidts.sys []
    S3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys []
    S3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys []
    S3 APLMp50;APLMp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\APLMp50.sys [2006-11-28 28224]
    S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
    S3 fmfdisk;fmfdisk; \??\C:\WINDOWS\system32\fmfdisk.sys []
    S3 LGII2CDevice;LGII2CDevice; \??\C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys []
    S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
    S3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
    S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
    S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-12-20 47360]
    S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
    S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    S3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys []
    S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
    S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
    S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
    S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
    S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
    S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
    S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
    S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-07-06 68608]
    R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [2008-09-08 450560]
    R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
    R2 LicCtrlService;LicCtrl Service; C:\WINDOWS\runservice.exe [2008-07-28 2560]
    R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2009-10-16 73728]
    R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [2008-09-08 184320]
    R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-09-27 172100]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
    S3 AVP;Kaspersky Anti-Virus; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe [2009-10-20 340456]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
    S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
    S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
    S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini []
    S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
    S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
    S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
    S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-08-16 66872]
    S4 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-08-16 103736]

    -----------------EOF-----------------

  5. #5
    Junior Member
    Join Date
    Feb 2010
    Posts
    5

    Default

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-03 20:50:45
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\...~1\LOCALS~1\Temp\pgecqaod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB459758C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB4597E0C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB4598922]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xB4598E94]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB45980EE]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xB4596436]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xB4598D6C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB4597192]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xB4598C28]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xB459734E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB4598FC6]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB459AC08]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB4597AAA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xB4598CCA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xB459A5FA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xB45969FA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xB4596D88]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB4598576]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB459B5CA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB4596ECA]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB4596F74]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB4598382]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB459A68C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xB4596412]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xB4596424]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xB459ACBC]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB45970C0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xB4598F36]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB4597E8E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xB45965DC]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xB4598E04]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB4597792]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB459AC32]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB4599068]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB45976B6]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xB459701E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB4596C46]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xB459AFD4]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xB4596896]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB459A922]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xB4596B0E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB45962B0]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xB45993F2]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB45992B8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB459A39A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB459DE2C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB459B4AC]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB4596248]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB459865C]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB4597CC8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xB4599C4A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB459A786]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB459B114]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xB459671E]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB459B1F8]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB459B320]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB459A526]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB459790A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB4597860]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xB459AE8A]
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB45979EA]

    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP B458C4DC \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
    .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP B458C8B6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
    .text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504528 16 Bytes [4E, 73, 59, B4, C6, 8F, 59, ...]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045E4 12 Bytes [8C, A6, 59, B4, 12, 64, 59, ...]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80504760 16 Bytes [0E, 6B, 59, B4, B0, 62, 59, ...]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [F8, B1, 59, B4, 20, B3, 59, ...]
    .text ntkrnlpa.exe!ZwCallbackReturn + 3018 805048B4 4 Bytes JMP E8B45979
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E3B360, 0x3E57A5, 0xE8000020]
    .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB369B300, 0x3AE88, 0xE8000020]
    .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8428300, 0x1B7E, 0xE8000020]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [B4072820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [B4072820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

    ---- EOF - GMER 1.0.15 ----

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    I see that you used Combofix, if you still have the log please post it.

    If not, please do the following .....



    Download and Run ComboFix
    Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
    • Please visit this webpage for instructions on using ComboFix:
      http://www.bleepingcomputer.com/comb...o-use-combofix

      ComboFix.exe
      ComboFix.exe
    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..


    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ComboFix SHOULD NOT be used unless requested by a forum helper
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #7
    Junior Member
    Join Date
    Feb 2010
    Posts
    5

    Default

    Thanks again... here is the Combofix log

    ComboFix 10-03-04.02 - Roy P McCormack 03/04/2010 17:55:06.5.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3053 [GMT -8:00]
    Running from: c:\documents and settings\...\Desktop\ComboFix.exe
    AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
    .

    2010-03-04 04:02 . 2010-03-04 04:02 -------- d-----w- C:\rsit
    2010-03-04 03:54 . 2010-03-04 03:54 -------- d-----w- c:\program files\Spybot-Search_Destroy
    2010-03-04 03:37 . 2010-03-04 03:37 -------- d-----w- c:\program files\ERUNT
    2010-02-28 00:04 . 2010-02-28 00:04 52224 ----a-w- c:\documents and settings\Roy P McCormack\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-28 00:04 . 2010-02-28 00:07 117760 ----a-w- c:\documents and settings\Roy P McCormack\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-28 00:04 . 2010-02-28 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-28 00:04 . 2010-02-28 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-28 00:04 . 2010-02-28 00:04 -------- d-----w- c:\documents and settings\Roy P McCormack\Application Data\SUPERAntiSpyware.com
    2010-02-27 16:34 . 2010-02-27 16:34 95259 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-02-27 16:34 . 2010-02-27 16:34 108059 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-02-27 16:33 . 2010-02-28 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-02-27 16:33 . 2010-02-27 16:33 -------- d-----w- c:\program files\Kaspersky Lab
    2010-02-27 16:32 . 2010-02-27 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-02-27 16:16 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-27 16:16 . 2010-02-27 16:16 -------- d-----w- c:\program files\mb-Anti-Malware
    2010-02-27 16:16 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-27 15:45 . 2010-02-27 15:45 -------- d-----w- c:\documents and settings\Roy P McCormack\Application Data\Malwarebytes
    2010-02-27 15:23 . 2010-02-27 15:23 -------- d-----w- c:\program files\CCleaner
    2010-02-27 09:49 . 2010-02-27 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-20 08:24 . 2010-02-20 08:24 389120 ----a-w- c:\windows\system32\CF22472.exe
    2010-02-20 07:43 . 2010-02-20 07:43 0 ----a-w- c:\windows\Enilobifuyiw.bin
    2010-02-20 07:43 . 2010-02-20 07:43 120 ----a-w- c:\windows\Fsuqoxoz.dat
    2010-02-19 06:20 . 2010-02-19 06:20 -------- d-----w- c:\documents and settings\Roy P McCormack\Local Settings\Application Data\Help
    2010-02-19 02:00 . 2010-02-19 02:00 -------- d-----w- c:\documents and settings\Roy P McCormack\Application Data\Datel
    2010-02-16 05:29 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-05 02:00 . 2008-07-28 19:31 1505 --sha-w- c:\windows\system32\mmf.sys
    2010-03-04 08:12 . 2008-12-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-28 00:04 . 2008-10-04 19:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-22 10:30 . 2009-09-15 05:05 1 ----a-w- c:\documents and settings\Roy P McCormack\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-31 21:48 . 2010-01-31 17:11 -------- d-----w- c:\documents and settings\Roy P McCormack\Application Data\Winamp
    2010-01-23 20:02 . 2010-01-23 20:02 -------- d-----w- c:\documents and settings\Roy P McCormack\Application Data\runic games
    2010-01-20 04:45 . 2010-01-20 04:45 -------- d-----w- c:\program files\Windows Media Connect 2
    2010-01-15 22:43 . 2010-01-15 22:43 -------- d-----w- c:\program files\OpenAL
    2010-01-15 22:43 . 2008-10-04 19:07 413696 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-01-15 22:43 . 2008-10-04 19:07 110592 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-01-13 04:26 . 2010-01-13 04:25 23 ----a-w- c:\windows\popcinfot.dat
    2010-01-13 04:07 . 2010-01-13 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
    2010-01-13 02:55 . 2010-01-13 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
    2010-01-13 02:55 . 2010-01-13 02:55 -------- d-----w- c:\program files\LG Soft India
    2010-01-13 02:55 . 2008-07-04 04:46 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-01-13 02:55 . 2008-07-04 04:02 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-21 19:14 . 2001-08-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-12-21 00:33 . 2009-01-10 23:19 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2009-12-16 18:43 . 2008-07-04 03:53 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-11 18:00 . 2009-12-27 23:21 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2010-1-12 1687552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Roy P McCormack^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
    path=c:\documents and settings\Roy P McCormack\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
    backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-05-11 10:06 40048 ----a-w- o:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2008-06-19 08:20 57344 ----a-r- c:\windows\ALCMTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-01-06 08:44 413696 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTuner]
    2008-09-16 17:15 2715648 ----a-w- c:\program files\RivaTuner v2.11\RivaTuner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 11:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "o:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
    "o:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "o:\\3dsmax7\\3dsmax.exe"=
    "c:\\Program Files\\backburner 2\\monitor.exe"=
    "c:\\Program Files\\backburner 2\\manager.exe"=
    "c:\\Program Files\\backburner 2\\server.exe"=
    "o:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
    "o:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
    "o:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
    "o:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
    "o:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
    "o:\\Program Files\\JoWood\\Painkiller Overdose\\Bin\\Overdose.exe"=
    "o:\\Program Files\\JoWood\\Painkiller Overdose\\Bin\\OverdoseEditor.exe"=
    "o:\\Program Files\\JoWood\\Painkiller Overdose\\Bin\\OverdoseServer.exe"=
    "o:\\Program Files\\Paradox Interactive\\Elven Legacy\\ElvenLegacy.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
    "c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
    "c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\king's bounty - the legend\\kb.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\king's bounty - the legend\\save_fixer.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\kings bounty armored princess\\kb.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
    "o:\\Program Files\\Steam\\SteamApps\\common\\mount and blade\\runme.exe"=

    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/11/2008 12:53 AM 28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/28/2008 11:31 AM 2560]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
    R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [1/12/2010 6:55 PM 14336]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/27/2009 2:15 AM 25832]
    S3 fmfdisk;fmfdisk;\??\c:\windows\system32\fmfdisk.sys --> c:\windows\system32\fmfdisk.sys [?]
    S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [1/12/2010 6:55 PM 18432]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-10-16 20:49 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.pandasecurity.com/activescan/index/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    Trusted Zone: buy-security-essentials.com
    Trusted Zone: download-soft-package.com
    Trusted Zone: download-software-package.com
    Trusted Zone: get-key-se10.com
    Trusted Zone: intuit.com
    Trusted Zone: is-software-download.com
    Trusted Zone: live.com\onecare
    Trusted Zone: buy-security-essentials.com
    Trusted Zone: get-key-se10.com
    FF - ProfilePath - c:\documents and settings\Roy P McCormack\Application Data\Mozilla\Firefox\Profiles\dwo6390p.default\
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
    FF - plugin: o:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-04 18:00
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-842925246-329068152-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:75,14,65,29,6f,04,fc,0e,2c,d3,80,c5,90,c5,c7,57,2d,34,cd,3a,7e,13,47,
    43,51,35,e3,34,99,3b,59,9d,88,f9,a3,93,1b,65,58,d2,13,8c,60,03,1b,db,2b,87,\
    "??"=hex:63,74,e6,94,ab,70,b1,32,11,bf,8a,99,4a,0b,fe,6d

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
    "1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,04,7d,73,7b,41,5e,94,
    fd
    "2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,
    78,d5,ad,68,1b,c8,4a,9b,03
    "3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,
    70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]
    "1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
    42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14
    "2"=hex:58,92,5a,34,3f,c6,a5,c5
    "3"=hex:05,b5,9c,f1,70,06,7d,a9,fb,26,1f,d1,d0,73,fe,b9,43,25,de,c5,62,4e,b1,
    49,1d,47,38,c1,c8,60,c6,1f,4e,1b,19,af,d9,4e,15,8c,76,3c,d1,f1,98,26,c5,5b,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
    42,0c,3f,30,d4,d3,b8,cd,35,d5,3e,c0,8d,ae,0a,b8,64,f1,91,a6,6e,82,a2,e3,3e,\
    "7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
    42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd
    "8"=hex:51,8b,70,67,69,f0,7c,c2,b0,72,82,66,89,41,d8,ea,80,89,34,14,b7,7b,8d,
    87,56,b7,9b,c9,06,68,72,d9,d5,6e,ba,c6,c5,8f,d9,3a,01,ab,7b,4a,82,ca,34,3a,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:4b,72,8f,bc,6c,3f,e4,15
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:13,04,38,9f,14,5a,55,f6,ac,67,2d,57,ab,75,38,93,b3,8f,d1,89,2e,d7,c6,
    63,da,55,b4,68,6c,ba,4c,c2,04,31,c6,48,69,fd,22,c5,37,8d,df,f3,9f,db,c8,ea,\
    "13"=hex:56,57,82,11,24,5f,5b,5f,68,3d,25,29,05,f6,a5,b9,1f,c0,ac,d9,19,b4,f4,
    78
    "14"=hex:44,0a,8b,5f,ad,d2,be,fd,bd,b9,f5,d5,d6,56,dd,33
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:1b,bb,74,47,cf,7e,1e,6d,41,ad,50,06,5a,98,e6,e4
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:1b,46,f0,8a,e6,5c,15,a9,85,12,27,7b,36,e8,2a,6f,b7,60,2f,22,36,bd,46,
    8f,03,40,16,b7,21,94,3d,8f,21,e4,6f,97,5b,84,15,77,9a,b0,fc,36,24,23,ab,61,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1284)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(1340)
    c:\windows\system32\nvLsp.dll

    - - - - - - - > 'explorer.exe'(2764)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-04 18:03:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-05 02:03
    ComboFix2.txt 2010-02-27 10:26

    Pre-Run: 74,941,677,568 bytes free
    Post-Run: 74,902,253,568 bytes free

    - - End Of File - - B8B2C15FF2CFD9559202869678A387B0

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    ----------------------------------------------------------------------------------------
    Step 1

    Malwarebytes' Anti-Malware
    I notice that you have MBAM installed, please do the following

    • Start MalwareBytes AntiMalware
      • Update Malwarebytes' Anti-Malware
      • Select the Update tab
      • Click Update
    • When the update is complete, select the Scanner tab
    • Select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    ----------------------------------------------------------------------------------------
    Step 2

    Custom CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      http://forums.spybot.info/showthread.php?p=362584#post362584
      Collect::
      c:\windows\Enilobifuyiw.bin
      c:\windows\Fsuqoxoz.dat
      Registry::
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\drivers\\svchost.exe"=
      Driver::
      fmfdisk
      DDS::
      Trusted Zone: buy-security-essentials.com
      Trusted Zone: download-soft-package.com
      Trusted Zone: download-software-package.com
      Trusted Zone: get-key-se10.com
      Trusted Zone: intuit.com
      Trusted Zone: is-software-download.com
      Trusted Zone: live.com\onecare
      Trusted Zone: buy-security-essentials.com
      Trusted Zone: get-key-se10.com
      
      ADS::
    • Save this as CFScript.txt and place it on your desktop.




    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • **Note**
      When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
      • Ensure you are connected to the internet and click OK on the message box.
    • Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    ----------------------------------------------------------------------------------------
    Step 3

    Active Scan
    Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
    NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
    Please go to this site Link >> ActiveScan << LINK
    • Click the Scan Now button
    • Follow the prompts to install the Active X if necessary
    • Go and make a cup of tea/coffee/beverage of your choice and watch some TV
    • When the scan is finished, a report will be generated
    • Next to Scan Details click the small export to notepad button and save the report to your desktop.
    • Please post the report in your reply.


    ----------------------------------------------------------------------------------------
    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    Some of the logs I request will be quite large, You may need to split them over a couple of replies.
    • MalwareBytes Log
    • Combofix Log
    • Active Scan Log
    • How are things running now ?




    ---------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------
    Additional Notes



    Your Java and Adobe is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java and Adobe components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) from HERE
    • Scroll down to where it says "Java SE Runtime Environment (JRE)".
    • Click the "Download" button to the right.
      • Platform = Windows
      • Language = Multi Language
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.


    Update Adobe Acrobat Reader
    Adobe Reader is a large program and uses unnecessary space.
    If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

    • Please go to this link Adobe Acrobat Reader Download Link
    • Cllick Download
    • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
    • Click the Continue button
    • Click Run, and click Run again
    • Next click the Install Now button and follow the on screen prompts


    Now close all windows, including your browser.
    Double click on the Java installation that you downloaded and follow the prompts.

    Remove Programs
    Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
    click on the program to highlight it, and click on remove.
    • Adobe Reader 8.1.0
      Java(TM) 6 Update 7
    Now close the Control Panel.

    Reboot your machine.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •