Need help (Reformat)

Status
Not open for further replies.
E

Erogath

New member
I'm really out of ideas at this point. Ran SDfix already in safe mode, it seems to have cleaned up some of it. But i know that there's more on here, phantom iexplore processes, explorer using over 110k ram. Spybot wont startup, hijackthis wont even install. Can't get them to run in safemode either, process goes up nothing happens. Renaming the .exe's doesn't work either. Any ideas?
 
Managed to installed hijackthis and run it here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:01 AM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
e:\Programs\Trend Micro\HijackThis\HijackThis.exe
E:\ProgramsMozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mypoint.uwsp.edu/mypoint/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - e:\Programs\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - e:\Programs\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MessengerUpdate - {5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\Programs\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - e:\Programs\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4358 bytes
 
Ran a few scans of my own in the meantime,

-Malwarebytes
-Sdfix
-Combofix
-AVG
-Adaware
-Spybot

cleaned up most everything, but i'm still having some of my google links redirected, and nothing i scan with even finds anything. here's an updated hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:40 AM, on 7/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
e:\Programs\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
e:\Programs\AVG\AVG8\avgrsx.exe
e:\Programs\AVG\AVG8\avgnsx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Programs\AVG\AVG8\avgtray.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\System32\svchost.exe
E:\ProgramsMozilla Firefox\firefox.exe
E:\Programs\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mypoint.uwsp.edu/mypoint/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - e:\Programs\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] e:\Programs\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\Programs\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - e:\Programs\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4645 bytes

Do NOT run 'FIXES' before helpers have analyzed the HJT log
 
Last edited by a moderator:
Here's the update of where I'm at. Pretty sure I'm mostly clean now, except my google search links are being redirected and none of the scans seems to work.

what i've tried so far:

-sdfix
-combofix
-avg
-spybot
-malwarebytes
-adaware
-housecall
 
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



You should have read and followed the "Before you Post" instructions.

Seems you may have missed those instructions where you would see stuff like this.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
Click to expand...
http://forums.spybot.info/showthread.php?t=282
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
Click to expand...



1) Read and follow the directions, this includes disabling TeaTimer before you post any new logs

2) Tell me what browser you use when being redirected? Have you tried another browser?

3) Are you using a router, if so see this information, your router may be the issue?
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html



Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
 
Both firefox and IE redirect random google links. To random sites each time, almost never the same one.

I do not believe the router is the issue, as only this one PC is affected.

here is the log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bigworm at 2009-07-18 04:08:07
Microsoft Windows XP Professional Service Pack 3
System drive C: has 5 GB (32%) free of 15 GB
Total RAM: 2046 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:12 AM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
E:\ProgramsMozilla Firefox\firefox.exe
C:\Documents and Settings\Bigworm\Desktop\RSIT.exe
E:\Programs\Trend Micro\HijackThis\Bigworm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mypoint.uwsp.edu/mypoint/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 3752 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - E:\Programs\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-10 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-10 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-12-18 868352]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 1406024]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-04-27 61440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=e:\Programs\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-04-27 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskmgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE"="C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE:*:Enabled:Microsoft Office PowerPoint"
"E:\Programs\Ventrilo\Ventrilo.exe"="E:\Programs\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"E:\Programs\AVG\AVG8\avgupd.exe"="E:\Programs\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"E:\Programs\AVG\AVG8\avgnsx.exe"="E:\Programs\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Disabled:Run a DLL as an App"
"E:\Programs\SoulseekNS\slsk.exe"="E:\Programs\SoulseekNS\slsk.exe:*:Enabled:SoulSeek"
"E:\Programs\World of Warcraft\BackgroundDownloader.exe"="E:\Programs\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-07-18 04:07:22 ----D---- C:\rsit
2009-07-17 00:54:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-17 00:54:24 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-17 00:53:21 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-16 01:48:46 ----A---- C:\WINDOWS\system32\VB6FR.DLL
2009-07-16 01:48:46 ----A---- C:\WINDOWS\system32\PCCLPFR.DLL
2009-07-16 01:48:46 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL
2009-07-16 01:48:46 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL
2009-07-13 16:30:38 ----D---- C:\Documents and Settings\All Users\Application Data\ATI
2009-07-13 14:54:05 ----A---- C:\WINDOWS\system32\CF9693.exe
2009-07-12 18:42:28 ----D---- C:\WINDOWS\ie8updates
2009-07-12 18:41:49 ----HDC---- C:\WINDOWS\ie8
2009-07-11 09:47:22 ----A---- C:\WINDOWS\system32\CF7838.exe
2009-07-11 09:27:40 ----D---- C:\Documents and Settings\Bigworm\Application Data\Malwarebytes
2009-07-11 09:27:35 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-10 19:24:55 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-07-10 19:15:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-10 18:21:11 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-07-10 18:21:08 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-07-10 18:21:05 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-07-10 18:20:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-07-10 18:20:55 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-07-10 18:20:51 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-07-10 18:20:48 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-07-10 18:20:44 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-07-10 18:19:59 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-07-10 18:19:46 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-07-10 18:19:43 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-07-10 18:19:38 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-07-10 18:15:31 ----SHD---- C:\RECYCLER
2009-07-10 18:14:26 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-07-10 17:46:51 ----RASHD---- C:\cmdcons
2009-07-10 17:44:41 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-10 17:44:26 ----D---- C:\WINDOWS\ERDNT
2009-07-10 01:06:49 ----A---- C:\WINDOWS\system32\javaws.exe
2009-07-10 01:06:49 ----A---- C:\WINDOWS\system32\javaw.exe
2009-07-10 01:06:49 ----A---- C:\WINDOWS\system32\java.exe
2009-07-10 01:06:49 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-10 01:06:38 ----D---- C:\Program Files\Java
2009-07-10 01:02:25 ----SHD---- C:\Config.Msi
2009-07-09 14:52:24 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 04:43:59 ----D---- C:\WINDOWS\ERUNT
2009-07-09 02:11:16 ----SHD---- C:\WINDOWS\CSC
2009-07-09 01:13:58 ----D---- C:\Documents and Settings\Bigworm\Application Data\Messenger

======List of files/folders modified in the last 1 months======

2009-07-18 04:07:57 ----SD---- C:\WINDOWS\Tasks
2009-07-18 02:59:24 ----D---- C:\WINDOWS\Temp
2009-07-18 02:59:24 ----D---- C:\WINDOWS\system32
2009-07-18 01:22:36 ----D---- C:\Documents and Settings\Bigworm\Application Data\uTorrent
2009-07-17 16:48:28 ----A---- C:\WINDOWS\NeroDigital.ini
2009-07-17 16:21:08 ----D---- C:\WINDOWS\Prefetch
2009-07-17 02:59:34 ----RASH---- C:\boot.ini
2009-07-17 02:59:34 ----A---- C:\WINDOWS\win.ini
2009-07-17 02:59:34 ----A---- C:\WINDOWS\system.ini
2009-07-17 02:58:16 ----D---- C:\WINDOWS
2009-07-17 02:56:59 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-17 02:02:16 ----D---- C:\Documents and Settings\Bigworm\Application Data\.purple
2009-07-17 00:54:29 ----HD---- C:\WINDOWS\inf
2009-07-17 00:54:27 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-17 00:54:26 ----A---- C:\WINDOWS\imsins.BAK
2009-07-17 00:54:25 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-16 02:09:12 ----RD---- C:\Program Files
2009-07-16 01:45:17 ----SHD---- C:\WINDOWS\Installer
2009-07-16 01:45:17 ----SD---- C:\Documents and Settings\Bigworm\Application Data\Microsoft
2009-07-14 23:18:54 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-14 20:15:28 ----A---- C:\WINDOWS\avisplitter.INI
2009-07-13 16:30:06 ----SHD---- C:\System Volume Information
2009-07-13 16:30:06 ----D---- C:\WINDOWS\system32\Restore
2009-07-13 16:28:39 ----D---- C:\WINDOWS\WinSxS
2009-07-13 16:28:33 ----D---- C:\Program Files\ATI Technologies
2009-07-13 16:27:00 ----D---- C:\WINDOWS\system32\drivers
2009-07-12 20:50:54 ----D---- C:\WINDOWS\system32\en-us
2009-07-12 20:50:54 ----D---- C:\WINDOWS\Media
2009-07-12 20:50:54 ----D---- C:\WINDOWS\Help
2009-07-12 20:50:54 ----D---- C:\Program Files\Internet Explorer
2009-07-12 19:52:36 ----D---- C:\WINDOWS\system32\CatRoot
2009-07-10 18:26:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-10 18:22:22 ----D---- C:\WINDOWS\system32\wbem
2009-07-10 18:22:22 ----D---- C:\WINDOWS\AppPatch
2009-07-10 18:11:09 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-07-10 18:02:08 ----D---- C:\Program Files\Common Files
2009-07-10 15:08:16 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-07-09 14:35:39 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-07-09 02:12:03 ----D---- C:\Documents and Settings\Bigworm\Application Data\Lavasoft
2009-07-07 10:10:56 ----AC---- C:\WINDOWS\system32\MRT.exe
2009-07-02 14:41:47 ----D---- C:\Documents and Settings\Bigworm\Application Data\mIRC
2009-06-19 19:51:40 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.10.0; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2008-07-27 21275]
R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 Haspnt;Haspnt; \??\C:\WINDOWS\system32\drivers\Haspnt.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-01-15 293888]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-06 93952]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-04-28 3565568]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2008-06-10 31048]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 aopmx2bu;aopmx2bu; C:\WINDOWS\system32\drivers\aopmx2bu.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\Bigworm\LOCALS~1\Temp\catchme.sys []
S3 cel90xbe;cel90xbe; \??\C:\DOCUME~1\Bigworm\LOCALS~1\Temp\cel90xbe.sys []
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-07-22 26112]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2005-07-22 68864]
S3 RT61;Ralink RT61 Wireless Driver; C:\WINDOWS\System32\DRIVERS\RT61.sys [2006-05-04 380928]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-04-27 602112]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-10 152984]
R2 StarWindService;StarWind iSCSI Service; E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [2005-04-01 217600]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-04-27 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

And here's the info.txt

info.txt logfile of random's system information tool 1.06 2009-07-18 04:07:33

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0CF63063-BD94-4A8B-9966-B6FDC3F55B38}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x5c53
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6-->"e:\Programs\Audacity\unins000.exe"
Canon MF Toolbox 4.9.1.1.mf02-->MsiExec.exe /I{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}
Canon MF3200 Series-->"C:\WINDOWS\system32\CanonMF Uninstaller Information\{269DBC9C-CAFC-472d-B1F1-0D327C2FFA76}\misc\DelDrv.exe" /U:{269DBC9C-CAFC-472d-B1F1-0D327C2FFA76} /L0x0000
Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}
CDex extraction audio-->"E:\Programs\CDex_150\uninstall.exe"
Diablo II-->C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
GTK+ Runtime 2.14.7 rev a (remove only)-->E:\Programs\Common Files\GTK\2.0\uninst.exe
HASP4 Device Drivers-->C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\HDD32.LOG
HijackThis 2.0.2-->"e:\Programs\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
K-Lite Codec Pack 4.0.0 (Full)-->"E:\Programs\K-Lite Codec Pack\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall EXCEL /dll OSETUP.DLL
Microsoft Office Excel 2007-->MsiExec.exe /X{90120000-0016-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall POWERPOINT /dll OSETUP.DLL
Microsoft Office PowerPoint 2007-->MsiExec.exe /X{90120000-0018-0000-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL
Microsoft Office Word 2007-->MsiExec.exe /X{90120000-001B-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC-->e:\Programs\mIRC\uninstall.exe _?=e:\Programs\mIRC
Mozilla Firefox (3.5.1)-->E:\ProgramsMozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 8 Micro 8.3.2.1-->"E:\Programs\Nero\unins000.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OmniPage SE 2.0-->MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Pidgin-->E:\Programs\Pidgin\pidgin-uninst.exe
Presto! PageManager 7.15.11-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA52A1AC-D35D-4D25-8686-9466FE2C5CE5}\Setup.exe" -l0x9 anything
Ralink Wireless LAN Card-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe" -l0x9 -removeonly
Real Alternative 1.8.0-->"E:\Programs\Real Alternative\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SoulSeek 157 NS 13c-->"E:\Programs\SoulseekNS\uninstall.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy-->"e:\Programs\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"e:\Programs\SpywareBlaster\unins000.exe"
Starcraft-->C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
TurningPoint 2008-->MsiExec.exe /X{373C7B28-788D-4528-A4AD-86CB960AB615}
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->E:\Programs\Winrar\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

=====HijackThis Backups=====

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-07-12]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-07-12]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) [2009-07-13]
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) [2009-07-13]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) [2009-07-13]

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

======System event log======

Computer Name: BIGWORM-3OW3W07
Event Code: 47113
Message: DFP failed to execute AtomBios

Record Number: 10709
Source Name: ati2mtag
Time Written: 20090127152759.000000-360
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 10708
Source Name: Tcpip
Time Written: 20090127144816.000000-360
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 10707
Source Name: Tcpip
Time Written: 20090126213947.000000-360
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 10706
Source Name: Tcpip
Time Written: 20090126152209.000000-360
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 10705
Source Name: Tcpip
Time Written: 20090126090609.000000-360
Event Type: warning
User:

=====Application event log=====

Computer Name: BIGWORM-3OW3W07
Event Code: 0
Message: Configuration section system.serviceModel.activation does not exist in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Record Number: 248
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20081031235841.000000-300
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 0
Message: Configuration section system.runtime.serialization does not exist in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Record Number: 247
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20081031235841.000000-300
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 0
Message: Configuration section system.serviceModel does not exist in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Record Number: 246
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20081031235841.000000-300
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 0
Message: Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly.
If you believe this message is an error, check your IIS installation to make sure it is installed properly.

Record Number: 244
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20081031235841.000000-300
Event Type: warning
User:

Computer Name: BIGWORM-3OW3W07
Event Code: 1517
Message: Windows saved user BIGWORM-3OW3W07\Bigworm registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 232
Source Name: Userenv
Time Written: 20081010230203.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4302
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------
 
Information

The "Before You Post" instructions request the following items be done :-

1) Disable TeaTimer before posting your logs.
In my first post, I also requested that you do this ...
Read and follow the directions, this includes disabling TeaTimer before you post any new logs
Click to expand...

Your latest log shows :-
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Programs\Spybot - Search & Destroy\TeaTimer.exe
Click to expand...

2) Guidelines for P2P Programs

Your latest log shows :-
uTorrent
SoulSeek 157 NS 13c
Click to expand...

We don't ask these things because we like telling you what to do, there are very good reasons for it.
Malware can be difficult enough to remove at the best of times, and we need you to follow instructions closely.



----------------------------------------------------------------------------------------
Step 1

Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Click Link >>> HERE <<< Link and select "save as" and save it to your desktop
  • Double click TTWipe.bat
  • Reboot your machine for the changes to take effect.

----------------------------------------------------------------------------------------
Step 2

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent
SoulSeek 157 NS 13c

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

----------------------------------------------------------------------------------------
Step 3

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

----------------------------------------------------------------------------------------
Step 4

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If requested, please reboot
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • GMER Log
  • MalwareBytes Log
  • How are things running now ?
 
Teatimer was not running at the time of those scans, i terminated the process beforehand.

Here are the logs

GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-18 14:31:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA28B16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA28AFC2

Code 8A2D10B0 ZwEnumerateKey
Code 8A2AE880 ZwFlushInstructionCache
Code 8A2AED7E IofCallDriver
Code 8A2C526E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A2AED83
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A2C5273
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A2AE884
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 8A2D10B4
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B85778AC 5 Bytes JMP 8A329960
? System32\Drivers\afg3ztti.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\winlogon.exe[724] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\services.exe[772] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[932] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\Ati2evxx.exe[960] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9ED1ABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9ED1C00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9ED1B82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9ED272E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9ED2604] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5531D8
Device \FileSystem\Fastfat \FatCdrom 891A11D8
Device \Driver\usbohci \Device\USBPDO-0 8A2B3980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5C91D8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5C91D8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5C91D8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5C91D8
Device \Driver\usbehci \Device\USBPDO-1 8A29F1D8
Device \Driver\00000041 \Device\00000045 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5561D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5561D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5561D8
Device \Driver\NetBT \Device\NetBt_Wins_Export 891B11D8
Device \Driver\NetBT \Device\NetbiosSmb 891B11D8
Device \Driver\usbohci \Device\USBFDO-0 8A2B3980
Device \Driver\usbehci \Device\USBFDO-1 8A29F1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5B7E13A7-B85F-4E48-8B70-7110CABB9499} 891B11D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891AA1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 891AA1D8
Device \Driver\Ftdisk \Device\FtControl 8A5561D8
Device \Driver\afg3ztti \Device\Scsi\afg3ztti1 8A234980
Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path0Target0Lun0 8A5541D8
Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path1Target1Lun0 8A5541D8
Device \Driver\nvgts \Device\Scsi\nvgts1 8A5541D8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A5541D8
Device \Driver\nvgts \Device\Scsi\nvgts3 8A5541D8
Device \Driver\afg3ztti \Device\Scsi\afg3ztti1Port5Path0Target0Lun0 8A234980
Device \FileSystem\Fastfat \Fat 891A11D8
Device \FileSystem\Cdfs \Cdfs 891A01D8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ E:\Programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [440] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [512] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [604] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [724] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [772] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [784] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\Core\smax4pnp.exe [932] 0x009F0000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [960] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [984] 0x012E0000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1012] 0x003E0000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1052] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1204] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [1272] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1288] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [1296] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1476] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1556] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1772] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1796] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2004] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2132] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe [2344] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [2876] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruiqxbioywm.dll (*** hidden *** ) @ C:\Documents and Settings\Bigworm\Desktop\gmer.exe [3388] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruinikesklk.sys (*** hidden *** ) [SYSTEM] hjgruixtpirclf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programs\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBA 0xF6 0x86 0x3E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE9 0xB2 0x34 0x0D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x46 0x14 0x60 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf@imagepath \systemroot\system32\drivers\hjgruinikesklk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruinikesklk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules@hjgruicmd.dll \systemroot\system32\hjgruikfjrruyx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules@hjgruilog.dat \systemroot\system32\hjgruikmwvriih.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules@hjgruiwsp.dll \systemroot\system32\hjgruiqxbioywm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruixtpirclf\modules@hjgrui.dat \systemroot\system32\hjgruilfywpein.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programs\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x60 0x87 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE9 0xB2 0x34 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0x96 0xE6 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf@imagepath \systemroot\system32\drivers\hjgruinikesklk.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruinikesklk.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules@hjgruicmd.dll \systemroot\system32\hjgruikfjrruyx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules@hjgruilog.dat \systemroot\system32\hjgruikmwvriih.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules@hjgruiwsp.dll \systemroot\system32\hjgruiqxbioywm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruixtpirclf\modules@hjgrui.dat \systemroot\system32\hjgruilfywpein.dat
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programs\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x60 0x87 0xA7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE9 0xB2 0x34 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0C 0x96 0xE6 0x1C ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Bigworm\Local Settings\Temp\hjgrui000 0 bytes
File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes
File C:\WINDOWS\system32\drivers\hjgruinikesklk.sys 67584 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\hjgruikfjrruyx.dll 42496 bytes executable
File C:\WINDOWS\system32\hjgruikmwvriih.dat 149372 bytes
File C:\WINDOWS\system32\hjgruilfywpein.dat 91 bytes
File C:\WINDOWS\system32\hjgruiqxbioywm.dll 17408 bytes
File C:\WINDOWS\Temp\hjgruijrxiqrxnce.tmp 91 bytes
File C:\WINDOWS\Temp\hjgruiphxtexonym.tmp 18944 bytes executable
File C:\WINDOWS\Temp\hjgruiqbunxccjpp.tmp 93 bytes
File C:\WINDOWS\Temp\hjgruisvkbccbfbd.tmp 17408 bytes

---- EOF - GMER 1.0.15 ----



And here is the MBM log:

Malwarebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 3

7/18/2009 2:42:53 PM
mbam-log-2009-07-18 (14-42-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113649
Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Download and Run ComboFix (by sUBs)

Please download Commbofix from HERE

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
For a full tutorial on using Combofix, please see this topic
Bleeping Computer ComboFix Tutorial
Click to expand...
 
ComboFix 09-07-14.08 - Bigworm 07/18/2009 23:29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1686 [GMT -5:00]
Running from: c:\documents and settings\Bigworm\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hjgruinikesklk.sys
c:\windows\system32\hjgruikfjrruyx.dll
c:\windows\system32\hjgruikmwvriih.dat
c:\windows\system32\hjgruilfywpein.dat
c:\windows\system32\hjgruiqxbioywm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruixtpirclf
-------\Service_hjgruixtpirclf


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-18 09:17 . 2009-07-18 09:17 -------- d-sh--w- c:\documents and settings\Bigworm\IECompatCache
2009-07-18 07:56 . 2009-07-18 07:56 -------- d-sh--w- c:\documents and settings\Bigworm\PrivacIE
2009-07-17 05:53 . 2009-07-17 05:53 2141 ----a-w- c:\documents and settings\Bigworm\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-17 05:53 . 2009-07-17 05:53 2095 ----a-w- c:\documents and settings\Bigworm\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-07-16 06:48 . 2009-06-20 00:51 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-07-16 06:48 . 2009-06-20 00:51 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-07-16 06:48 . 2009-06-20 00:51 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-07-16 06:48 . 2009-06-20 00:51 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-07-13 21:30 . 2009-07-13 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-07-13 02:16 . 2009-07-13 02:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-13 01:52 . 2009-07-13 01:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-13 01:51 . 2009-07-13 01:51 -------- d-sh--w- c:\documents and settings\Bigworm\IETldCache
2009-07-12 23:42 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-12 23:42 . 2009-07-12 23:42 -------- d-----w- c:\windows\ie8updates
2009-07-12 23:42 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-12 23:42 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-12 23:41 . 2009-07-12 23:41 -------- dc-h--w- c:\windows\ie8
2009-07-10 23:15 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-10 23:15 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-10 23:15 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-10 23:15 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-10 23:15 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-10 23:15 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-10 23:15 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-10 23:15 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-10 23:15 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-10 23:14 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-10 23:14 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-10 19:36 . 2008-12-20 17:39 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-10 06:06 . 2009-07-10 06:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-10 06:06 . 2009-07-10 06:06 -------- d-----w- c:\program files\Java
2009-07-09 09:56 . 2009-07-09 09:56 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-09 09:43 . 2009-07-09 09:43 -------- d-----w- c:\windows\ERUNT
2009-07-09 06:13 . 2009-07-09 06:50 -------- d-----w- c:\documents and settings\Bigworm\Application Data\Messenger
2009-07-02 07:37 . 2009-07-02 07:37 1089 ----a-w- c:\documents and settings\Bigworm\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-29 21:24 . 2009-06-29 21:24 2145 ----a-w- c:\documents and settings\Bigworm\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 19:10 . 2008-07-28 12:15 -------- d-----w- c:\documents and settings\Bigworm\Application Data\uTorrent
2009-07-18 10:12 . 2008-07-29 18:30 -------- d-----w- c:\documents and settings\Bigworm\Application Data\.purple
2009-07-13 21:28 . 2008-07-28 07:45 -------- d-----w- c:\program files\ATI Technologies
2009-07-09 19:35 . 2008-11-26 23:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 19:41 . 2009-04-30 16:39 -------- d-----w- c:\documents and settings\Bigworm\Application Data\mIRC
2009-06-20 00:51 . 1998-08-04 23:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-28 05:26 . 2008-11-26 23:40 -------- d-----w- c:\documents and settings\Bigworm\Application Data\Ventrilo
2009-05-13 05:15 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 04:23 . 2008-12-19 07:54 72319 ----a-w- c:\windows\War3Unin.dat
2009-05-06 03:46 . 2009-05-06 03:45 30433 ----a-w- c:\windows\scunin.dat
2009-05-06 03:46 . 2009-05-06 03:45 967 ----a-w- c:\windows\ScUnin.pif
2009-05-06 03:46 . 2009-05-06 03:45 70656 ----a-w- c:\windows\ScUnin.exe
2009-05-04 19:30 . 2008-07-28 07:37 29872 ----a-w- c:\documents and settings\Bigworm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-28 06:13 . 2004-08-04 05:29 3565568 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-04-28 05:12 . 2008-07-04 02:25 11845632 ----a-w- c:\windows\system32\atioglxx.dll
2009-04-28 04:41 . 2008-07-04 03:25 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-04-28 04:40 . 2004-08-04 07:56 325120 ----a-w- c:\windows\system32\ati2dvag.dll
2009-04-28 04:32 . 2008-07-04 03:06 290816 ----a-w- c:\windows\system32\atiok3x2.dll
2009-04-28 04:32 . 2008-07-04 03:14 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-04-28 04:31 . 2008-07-04 03:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-04-28 04:31 . 2008-07-04 03:14 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-04-28 04:31 . 2008-07-04 03:13 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-04-28 04:31 . 2008-07-04 03:13 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-04-28 04:30 . 2008-07-04 03:12 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-04-28 04:28 . 2008-07-04 03:10 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-04-28 04:21 . 2004-08-04 07:56 3818272 ----a-w- c:\windows\system32\ati3duag.dll
2009-04-28 04:08 . 2004-08-04 07:56 2670720 ----a-w- c:\windows\system32\ativvaxx.dll
2009-04-28 03:58 . 2008-07-04 02:55 307200 ----a-w- c:\windows\system32\atiiiexx.dll
2009-04-28 03:55 . 2008-07-04 02:34 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2009-04-28 03:51 . 2008-07-04 02:30 475136 ----a-w- c:\windows\system32\atikvmag.dll
2009-04-28 03:50 . 2008-07-04 02:29 126976 ----a-w- c:\windows\system32\atiadlxx.dll
2009-04-28 03:49 . 2008-07-04 02:28 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-04-28 03:49 . 2008-07-04 02:28 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-04-28 03:44 . 2004-08-04 07:56 626688 ----a-w- c:\windows\system32\ati2cqag.dll
2009-04-28 02:20 . 2008-07-28 07:45 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-04-28 01:58 . 2009-02-25 20:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-04-28 01:58 . 2009-02-25 20:32 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-04-28 01:56 . 2009-02-25 20:30 3227648 ----a-w- c:\windows\system32\aticaldd.dll
2009-04-23 21:29 . 2008-06-10 21:50 189051 ----a-w- c:\windows\system32\atiicdxx.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\POWERPNT.EXE"=
"e:\\Programs\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Programs\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 cel90xbe;cel90xbe;\??\c:\docume~1\Bigworm\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\Bigworm\LOCALS~1\Temp\cel90xbe.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = https://mypoint.uwsp.edu/mypoint/default.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bigworm\Application Data\Mozilla\Firefox\Profiles\dlmqnbjp.default\
FF - plugin: e:\programs\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: e:\programs\Real Alternative\browser\plugins\nppl3260.dll
FF - plugin: e:\programs\Real Alternative\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
e:\programsmozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\programsmozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\programsmozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\programsmozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\programsmozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\programsmozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\programsmozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\programsmozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\programsmozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\programsmozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\programsmozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\programsmozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\programsmozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\programsmozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\programsmozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\programsmozilla firefox\greprefs\all.js - pref("geo.enabled", true);
e:\programsmozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\programsmozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\programsmozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\programsmozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 23:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\programs\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-07-19 23:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 04:36

Pre-Run: 6,124,691,456 bytes free
Post-Run: 6,007,992,320 bytes free

220 --- E O F --- 2009-07-17 05:54
 
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Kaspersky log
  • How are things running now ?
 
I forgot to mention when i ran the combofix it initially gave an error "could not find c:\program" not sure if that's relevant
 
here's the kaspersky scan log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 08:06:24
Records in database: 2493493
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 41014
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:33:02


File name / Threat name / Threats count
E:\Programs\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.


-------------------------------------------
made it ok through the scan, but crashes twice after combofix, when trying to run firefox
 
reinstalled firefox just incase something was broken, seems to have fixed the problem. Also haven't had a google redirect yet, might be solid with that too.
 
Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    Folder::
c:\documents and settings\Bigworm\Application Data\uTorrent
Driver::
cel90xbe

ADS::
  • Save this as CFScript.txt and place it on your desktop.


    CFScriptb.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
 
why am i running a custom combofix script for utorrent? This is not the source of my problems.

btw google links are working fine BUT, after running combofix my PC crashes pretty regularly now, no blue screen no errors, nothing posted in the event log.

Seems anytime i do anything remotely CPU intensive it just gives me a solid beep and locks up.
 
all scans are coming up clean, but I'm still crashing regularly here. Did combofix break windows? Is this even salvageable or should I consider reinstalling windows at this point? sorry for the multiple frequent posts, not sure how long I'll stay booted
 
Erogath said:
1) why am i running a custom combofix script for utorrent?
2)This is not the source of my problems.
3) Seems anytime i do anything remotely CPU intensive it just gives me a solid beep and locks up.
4) Did combofix break windows?
5) Is this even salvageable or should I consider reinstalling windows at this point?
Click to expand...

1) Because the forum rules, which you have been asked to read several times now, insist that ALL P2P programs are removed.
2) How do you know ?
3) That sounds like a hardware issue
4) No
5) Given all the different scans you ran before I started assisting you, I have no idea what is causing the crashing.
If you are able to format and reinstall, then it is always the best way to guarantee a clean machine.
 
1) Because I only use utorrent for legit downloads from secure places such as blizzard updates, their background downloader eats too much bandwidth
2) I wasn't having any hardware issues before, why now? Not to mention there are no windows errors, blue screens, or event logs generated
3) I planned on installing a TB drive anyway, so I'm going to just reinstall a fresh copy of windows.
 
Status
Not open for further replies.
Back
Top