Tinybar

V

voolak

New member
Basically while I browse firefox i get random popups and from spybot it seems it is something connected with "tinybar" since i can't remove it

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:57 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe
O1 - Hosts: 85.14.219.81 nProtect.lineage2.com
O1 - Hosts: 85.14.219.81 l2authd.lineage2.com
O1 - Hosts: 85.14.219.81 l2testauthd.lineage2.com
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: efqpnc.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7122 bytes
 
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Click to expand...
Hi voolak and welcome to Safer Networking :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

Next:

In the interim I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Start/Run HiJackThis and click on Open the Misc Tools section

  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.
 
Hi :)
when i press save list the HJT program just closes
Click to expand...
Not a problem, we can address this shortly.

In the meantime I have a few questions first If I may, before we proceed:

  • You have a application installed called AdminWorks Management are you aware of this and or did you install this yourself ?
  • Is this Computer used for either business related activities or just for personal use only ?
 
Hi :)

I never heard of that application and this computer is for personal use.
Click to expand...
OK the application I mentioned: AdminWorks Management
A cost effective IT management software tool for small and medium size businesses.
Click to expand...
How old is this computer and how long have you owned it ? And or is this a second hand computer that once belonged to a Business ?

Next:

  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.
Next:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Please make sure that RSIT.exe is on the your Desktop before running the application.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

  • Answer to my query.
  • MGADiag results.
  • Both RSIT Logs.
 
This computer is a little over a year old and I bought it new. The computer never belonged to a business.

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-VW3P7-YHQQ6-C7RYM
Windows Product Key Hash: ZcgwvstIxQC+DhtQDO8/GmF+gus=
Windows Product ID: 76487-OEM-2211906-00100
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {BF7D64E5-0520-465B-B18A-6FA38AA467DE}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.8.31.9
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.8.31.9
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 1.6.21.0
Signed By: N/A, hr = 0x80096010
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BF7D64E5-0520-465B-B18A-6FA38AA467DE}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C7RYM</PKey><PID>76487-OEM-2211906-00100</PID><PIDType>2</PIDType><SID>S-1-5-21-1269103037-3874296902-2670244853</SID><SYSTEM><Manufacturer>Acer </Manufacturer><Model>Aspire M5100 </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>R02-A1</Version><SMBIOSVersion major="2" minor="5"/><Date>20071107000000.000000+000</Date><SLPBIOS>AcerSystem ,AcerSystem </SLPBIOS></BIOS><HWID>AA71337F01842E78</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Acer Incorporated</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.9"/><File Name="WgaLogon.dll" Version="1.8.31.9"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1C4D4:Acer Incorporated
Marker string from OEMBIOS.DAT: AcerSystem ,AcerSystem

OEM Activation 2.0 Data-->
N/A


log.txt:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Divilov at 2009-02-18 10:08:56
Microsoft Windows XP Professional Service Pack 3
System drive C: has 42 GB (57%) free of 73 GB
Total RAM: 2047 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:21 AM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Divilov\Desktop\RSIT.exe
C:\Documents and Settings\Divilov\Desktop\Divilov.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe
O1 - Hosts: 85.14.219.81 nProtect.lineage2.com
O1 - Hosts: 85.14.219.81 l2authd.lineage2.com
O1 - Hosts: 85.14.219.81 l2testauthd.lineage2.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C4854EE-B927-4E42-8993-761FCC84DE9C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {b6290ba4-c361-3019-cfa4-7a67d6d322b7} - {7b223d6d-76a7-4afc-9103-163c4ab0926b} - C:\WINDOWS\system32\srymmm.dll
O2 - BHO: (no name) - {9460EDC4-6A53-43C0-B020-B850B920E7AD} - C:\WINDOWS\system32\nnnlkJYs.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [5cdabd9a] rundll32.exe "C:\WINDOWS\system32\bsvqskyn.dll",b
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: srymmm.dll
O20 - Winlogon Notify: hgGabBtq - hgGabBtq.dll (file missing)
O20 - Winlogon Notify: qoMdDwUl - qoMdDwUl.dll (file missing)
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8180 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C4854EE-B927-4E42-8993-761FCC84DE9C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b223d6d-76a7-4afc-9103-163c4ab0926b}]
C:\WINDOWS\system32\srymmm.dll [2009-02-17 123392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9460EDC4-6A53-43C0-B020-B850B920E7AD}]
C:\WINDOWS\system32\nnnlkJYs.dll [2009-02-14 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\WINDOWS\system32\eDStoolbar.dll [2007-06-24 106496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"=C:\Acer\LANScope Agent\awtray.exe [2007-05-22 1459992]
"RTHDCPL"=RTHDCPL.EXE []
"nwiz"=nwiz.exe /install []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-03-20 86960]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-08-09 221184]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-03-01 1443072]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"5cdabd9a"=C:\WINDOWS\system32\bsvqskyn.dll [2009-02-18 74752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"DAEMON Tools Pro Agent"=C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2007-09-06 136136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="srymmm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
Ati2evxx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hgGabBtq]
hgGabBtq.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMdDwUl]
qoMdDwUl.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
WgaLogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\nnnlkJYs
"notification packages"=
scecli
scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe"="C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe"="C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YahooMessenger.exe"="C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YServer.exe"="C:\Documents and Settings\Divilov\My Documents\Yahoo\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Program Files\Combat Arms\Combat Arms\NMService.exe"="C:\Program Files\Combat Arms\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"="C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe"="C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (CLI)"
"C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe"="C:\Program Files\Deep Silver\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:*:Enabled:S.T.A.L.K.E.R. - Clear Sky (SRV)"
"C:\Downloads\Red Faction\rf.exe"="C:\Downloads\Red Faction\rf.exe:*:Disabled:Red Faction"
"C:\Program Files\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Program Files\Combat Arms\NMService.exe"="C:\Program Files\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Outspark\Blackshot\System\BlackShot.exe"="C:\Program Files\Outspark\Blackshot\System\BlackShot.exe:*:Enabled:BlackShot"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Combat Arms\CombatArms.exe"="C:\Program Files\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Program Files\Combat Arms\Engine.exe"="C:\Program Files\Combat Arms\Engine.exe:*Enabled:Engine.exe"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-02-18 10:08:56 ----D---- C:\rsit
2009-02-18 10:07:15 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-02-18 00:01:51 ----SH---- C:\WINDOWS\system32\nyksqvsb.ini
2009-02-18 00:01:39 ----A---- C:\WINDOWS\system32\bsvqskyn.dll
2009-02-17 23:58:41 ----A---- C:\WINDOWS\system32\srymmm.dll
2009-02-17 23:58:39 ----A---- C:\WINDOWS\system32\mwqawlhb.dll
2009-02-17 12:01:43 ----A---- C:\WINDOWS\system32\onfxaw.dll
2009-02-17 12:01:39 ----A---- C:\WINDOWS\system32\nsavdfgo.dll
2009-02-17 11:58:40 ----SH---- C:\WINDOWS\system32\fnccllap.ini
2009-02-17 00:01:42 ----SH---- C:\WINDOWS\system32\uspkqrhi.ini
2009-02-16 23:58:44 ----A---- C:\WINDOWS\system32\jxxfip.dll
2009-02-16 23:58:39 ----A---- C:\WINDOWS\system32\xfiffqoe.dll
2009-02-16 12:01:54 ----SH---- C:\WINDOWS\system32\qdvwfvgm.ini
2009-02-16 11:58:52 ----A---- C:\WINDOWS\system32\yuenmi.dll
2009-02-16 11:58:50 ----A---- C:\WINDOWS\system32\gptgevuh.dll
2009-02-16 00:01:55 ----A---- C:\WINDOWS\system32\uuyijq.dll
2009-02-16 00:01:51 ----A---- C:\WINDOWS\system32\rpgjultp.dll
2009-02-15 23:58:57 ----SH---- C:\WINDOWS\system32\ftnniuew.ini
2009-02-15 16:40:57 ----D---- C:\Program Files\ERUNT
2009-02-15 15:52:51 ----ASH---- C:\WINDOWS\system32\sYJklnnn.ini2
2009-02-15 14:05:44 ----A---- C:\WINDOWS\system32\khfFULcC.dll
2009-02-15 13:50:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-15 12:00:15 ----A---- C:\WINDOWS\system32\efqpnc.dll
2009-02-15 12:00:11 ----A---- C:\WINDOWS\system32\nfdentsu.dll
2009-02-15 00:01:01 ----A---- C:\WINDOWS\system32\xgpibs.dll
2009-02-15 00:00:56 ----A---- C:\WINDOWS\system32\ryyrqjuc.dll
2009-02-14 12:00:17 ----A---- C:\WINDOWS\system32\wfhyei.dll
2009-02-14 12:00:12 ----A---- C:\WINDOWS\system32\qobmpsce.dll
2009-02-14 11:57:12 ----ASH---- C:\WINDOWS\system32\sYJklnnn.ini
2009-02-14 11:57:01 ----A---- C:\WINDOWS\system32\nnnlkJYs.dll
2009-02-14 11:51:59 ----A---- C:\WINDOWS\system32\rqRIyYoO.dll
2009-02-14 11:40:23 ----D---- C:\Documents and Settings\Divilov\Application Data\Boomzap
2009-02-14 10:30:46 ----A---- C:\WINDOWS\system32\shdxhtgj.dll
2009-02-14 10:30:27 ----ASH---- C:\WINDOWS\system32\cLkjkUtv.ini
2009-02-14 10:25:14 ----A---- C:\WINDOWS\system32\ljJDSLff.dll
2009-02-14 09:40:56 ----D---- C:\Program Files\MSECache
2009-02-14 09:37:58 ----A---- C:\WINDOWS\system32\pdfmonnt.dll
2009-02-14 09:35:59 ----D---- C:\Documents and Settings\Divilov\Application Data\Bullzip
2009-02-13 18:50:29 ----D---- C:\Documents and Settings\Divilov\Application Data\Dark Sector
2009-02-12 20:28:38 ----D---- C:\Program Files\Spiderweb Software
2009-02-12 20:28:12 ----D---- C:\Documents and Settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17:03 ----D---- C:\Documents and Settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07:06 ----D---- C:\Program Files\OpenAL
2009-02-11 21:32:04 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-10 20:07:40 ----D---- C:\Documents and Settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 20:00:26 ----D---- C:\Program Files\Crayon Physics Deluxe
2009-02-10 18:41:52 ----A---- C:\WINDOWS\WININIT.INI
2009-02-08 22:14:46 ----D---- C:\Documents and Settings\All Users\Application Data\STDUConverter
2009-02-08 21:57:51 ----D---- C:\Documents and Settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19:30 ----D---- C:\Documents and Settings\Divilov\Application Data\Xfire
2009-02-08 19:19:26 ----D---- C:\Program Files\Xfire
2009-02-06 19:17:01 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2009-02-06 19:17:01 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-02-06 19:17:00 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-02-06 19:16:59 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-02-06 19:16:59 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-02-06 19:16:58 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2009-02-06 19:16:58 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-02-06 19:16:57 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-02-06 19:16:57 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-02-06 19:16:56 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2009-02-06 19:16:55 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2009-02-06 19:16:55 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2009-02-06 19:16:54 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-02-04 17:48:13 ----D---- C:\Documents and Settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57:01 ----D---- C:\CFLog
2009-02-03 22:53:02 ----D---- C:\Program Files\G4box
2009-02-03 17:17:10 ----D---- C:\WINDOWS\system32\AGEIA
2009-02-03 17:17:10 ----D---- C:\Program Files\AGEIA Technologies
2009-02-01 12:20:30 ----HD---- C:\BJPrinter
2009-02-01 12:20:25 ----A---- C:\WINDOWS\system32\CNMVS5y.DLL
2009-02-01 12:20:25 ----A---- C:\WINDOWS\system32\CNMLM5y.DLL
2009-02-01 09:54:49 ----D---- C:\Program Files\DOSBox-0.70
2009-01-30 00:34:11 ----D---- C:\Documents and Settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33:54 ----D---- C:\Program Files\Eltima Software
2009-01-29 23:53:36 ----A---- C:\WINDOWS\system32\57f979e4-.txt
2009-01-29 23:53:16 ----ASH---- C:\WINDOWS\system32\lVwaccdd.ini
2009-01-28 09:57:21 ----A---- C:\svf_info.txt
2009-01-26 13:39:36 ----A---- C:\WINDOWS\system32\zlib.dll
2009-01-22 20:17:46 ----A---- C:\WINDOWS\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2009-02-18 10:09:13 ----D---- C:\Documents and Settings\Divilov\Application Data\uTorrent
2009-02-18 10:08:56 ----D---- C:\WINDOWS\Prefetch
2009-02-18 10:08:43 ----D---- C:\WINDOWS\temp
2009-02-18 10:07:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-18 10:05:10 ----D---- C:\Program Files\Mozilla Firefox
2009-02-18 09:56:51 ----D---- C:\Program Files\JDown
2009-02-18 09:55:28 ----D---- C:\Downloads
2009-02-18 09:03:00 ----AD---- C:\WINDOWS\system32\drivers
2009-02-18 09:01:06 ----A---- C:\RTHDCPL_Dump.txt
2009-02-18 09:01:02 ----D---- C:\WINDOWS
2009-02-18 09:00:12 ----AD---- C:\WINDOWS\system32
2009-02-18 08:59:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-17 20:34:49 ----D---- C:\Program Files
2009-02-17 17:18:45 ----D---- C:\Invision
2009-02-16 18:19:45 ----HD---- C:\WINDOWS\inf
2009-02-16 10:58:41 ----A---- C:\WINDOWS\matlab.ini
2009-02-15 16:41:47 ----D---- C:\WINDOWS\ERDNT
2009-02-15 14:48:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 14:41:45 ----SHD---- C:\WINDOWS\Installer
2009-02-15 14:41:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-15 14:02:59 ----SD---- C:\WINDOWS\Tasks
2009-02-14 15:08:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-14 11:48:17 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-02-13 18:21:23 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-13 08:56:27 ----AD---- C:\GUIDE
2009-02-12 10:07:06 ----A---- C:\WINDOWS\system32\wrap_oal.dll
2009-02-12 10:07:06 ----A---- C:\WINDOWS\system32\OpenAL32.dll
2009-02-11 21:32:03 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 21:31:59 ----A---- C:\WINDOWS\imsins.BAK
2009-02-11 21:31:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-11 21:31:19 ----D---- C:\Program Files\Internet Explorer
2009-02-10 19:40:38 ----D---- C:\WINDOWS\WinSxS
2009-02-10 19:40:38 ----D---- C:\WINDOWS\repair
2009-02-10 17:34:01 ----D---- C:\Program Files\Mozilla Thunderbird
2009-02-10 12:35:19 ----D---- C:\WINDOWS\SxsCaPendDel
2009-02-10 00:03:57 ----D---- C:\DVDVideoSoft
2009-02-09 10:49:54 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-02-09 10:47:10 ----RSD---- C:\WINDOWS\Fonts
2009-02-08 23:03:55 ----D---- C:\Program Files\Common Files
2009-02-06 21:37:19 ----D---- C:\Program Files\Trillian
2009-02-06 21:24:44 ----D---- C:\WINDOWS\Microsoft.NET
2009-02-06 21:24:35 ----RSD---- C:\WINDOWS\assembly
2009-02-06 19:17:03 ----D---- C:\WINDOWS\system32\DirectX
2009-02-06 19:09:58 ----D---- C:\WINDOWS\Help
2009-02-06 19:09:57 ----D---- C:\WINDOWS\nview
2009-02-06 19:03:34 ----D---- C:\WINDOWS\system32\XPSViewer
2009-02-06 19:03:29 ----D---- C:\WINDOWS\system32\en-US
2009-02-06 19:02:45 ----AD---- C:\i386
2009-02-06 18:57:44 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-02-03 18:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-01 09:28:23 ----D---- C:\WINDOWS\Registration
2009-02-01 09:28:18 ----D---- C:\WINDOWS\system32\NtmsData
2009-01-31 18:45:13 ----SD---- C:\Documents and Settings\Divilov\Application Data\Microsoft
2009-01-30 14:27:58 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-26 12:27:23 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-01-23 01:01:48 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-01-23 01:01:47 ----A---- C:\WINDOWS\system32\pbsvc.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-03-01 29704]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-03-01 54280]
R1 OsaFsLoc;OsaFsLoc; \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-09-23 279712]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-03-01 39944]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; \??\C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; \??\C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-03-01 71176]
R2 int15;int15; \??\C:\WINDOWS\system32\drivers\int15.sys []
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-09-23 25888]
R2 netlimiter;netlimiter; \??\C:\WINDOWS\system32\drivers\netlimiter.sys []
R2 netlock;netlock; \??\C:\WINDOWS\system32\drivers\netlock.sys []
R2 osaio;osaio; \??\C:\WINDOWS\system32\drivers\osaio.sys []
R2 osanbm;osanbm; \??\C:\WINDOWS\system32\drivers\osanbm.sys []
R2 tvicport;tvicport; \??\C:\WINDOWS\system32\drivers\tvicport.sys []
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-03-01 30728]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-12-20 4637696]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2007-07-20 6144]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-17 33792]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys []
S3 AMDPCI;AMDPCI; \??\C:\DOCUME~1\Divilov\LOCALS~1\Temp\AMDPCI.sys []
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-14 2301440]
S3 au6mplro;au6mplro; C:\WINDOWS\system32\drivers\au6mplro.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 FStarForce;FStarForce; C:\WINDOWS\system32\DRIVERS\FStarForce.sys [2009-01-01 8192]
S3 npkcrypt;npkcrypt; \??\C:\Program Files\Lineage II\system\npkcrypt.sys []
S3 PnkBstrK;PnkBstrK; \??\C:\WINDOWS\system32\drivers\PnkBstrK.sys []
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys []
S3 psdfilter;psdfilter; \??\C:\WINDOWS\system32\Drivers\psdfilter.sys []
S3 psdvdisk;psdvdisk; \??\C:\WINDOWS\system32\Drivers\psdvdisk.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WINIO;WINIO; \??\C:\WINDOWS\system32\winio.sys []
S3 XDva072;XDva072; \??\C:\WINDOWS\system32\XDva072.sys []
S3 XDva074;XDva074; \??\C:\WINDOWS\system32\XDva074.sys []
S3 XDva123;XDva123; \??\C:\WINDOWS\system32\XDva123.sys []
S3 XDva214;XDva214; \??\C:\WINDOWS\system32\XDva214.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcerMemUsageCheckService;Memory Check Service; C:\Acer\Empowering Technology\ePerformance\MemCheck.exe [2006-09-14 28672]
R2 AWService;AdminWorks Agent X6; C:\Acer\LANScope Agent\awServ.exe [2007-04-26 75032]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]
R2 LockServ;LockServ; C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-06-28 520192]
R2 matlabserver;MATLAB Server; C:\MATLAB\webserver\bin\win32\matlabserver.exe [2004-08-16 536576]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-01-23 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-01-26 202032]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-14 479232]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl; C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-03-01 19200]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt:

info.txt logfile of random's system information tool 1.05 2009-02-18 10:09:23

======Uninstall list======

-->MsiExec /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD0C9330-E89A-4520-9A47-FE01366D5633}\setup.exe" xxxanything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eAcoustics Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EC4EE3-ED7D-4DCD-86DC-29ACF0B122E9}\setup.exe" -l0x9 -removeonly
Acer eDataSecurity Management 2.0.4093-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{4AD13F68-CADA-4C6B-9759-C33753F89908} /l1033
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDStbmngr.exe UNINSTALL 1
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7057702F-6D71-4F30-8000-9E72BC771887}\setup.exe" -l0x9 -removeonly
Acer eProtection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9BB218C-2D4B-4FF4-97E2-2C7E3D1B2679}\setup.exe" -l0x9
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F2C8256-2773-46C7-9ABA-3E39C24ABB51}\setup.exe" -l0x9 -removeonly
Acer LANScope Agent-->C:\Program Files\InstallShield Installation Information\{163D5967-BA25-4D4F-9EC6-8410888C117F}\setup.exe -runfromtemp -l0x0409
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoHotkey 1.0.47.06-->C:\Program Files\AutoHotkey\uninst.exe
Avernum 5-->MsiExec.exe /X{47273CEF-C70E-40E9-80DE-FA9BE55AD1BB}
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch-->C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cross Fire En-->"C:\Program Files\G4box\CrossFire\unins000.exe"
eMule-->"C:\Program Files\eMule\Uninstall.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Smart Security-->MsiExec.exe /I{6ECB944F-D027-4E8A-9906-70E77C005AD5}
Fraps (remove only)-->"C:\Program Files\Fraps\uninstall.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\Youtube Converter\unins000.exe"
HijackThis 2.0.2-->"C:\Documents and Settings\Divilov\Desktop\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
MATLAB Family of Products Release 14-->C:\MATLAB\uninstall\uninstall.exe C:\MATLAB\
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.19)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.10.17-->MsiExec.exe /X{E4D15328-8C89-484B-B9AA-F5BE9EA6D01C}
OCA Client history tool install-->"C:\WINDOWS\$UninstallOCA-X86Fre-ENU$\spuninst\spuninst.exe"
OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Sony Vegas Pro 8.0-->MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SWF & FLV Player 3.0 (build 3.0.33.5106)-->"C:\Program Files\Eltima Software\SWF & FLV Player\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Longest Journey-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0280F0D8-1542-4DAA-913C-8529E2A3835D}\Setup.exe" -l0x9
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VentriloMIX-->C:\Program Files\VentriloMIX\Uninstal.exe
VeohTV BETA-->C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
VobSub v2.23 (Remove Only)-->"C:\Program Files\Xvid\VobSub\uninstall.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Hosts File======

127.0.0.1 localhost
85.14.219.81 nProtect.lineage2.com
85.14.219.81 l2authd.lineage2.com
85.14.219.81 l2testauthd.lineage2.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com

======Security center information======

AV: ESET Smart Security 3.0
FW: ESET Personal firewall

System event log

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.

Record Number: 7384
Source Name: Service Control Manager
Time Written: 20090112074050.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 7383
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 7382
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 7035
Message: The Application Layer Gateway Service service was successfully sent a start control.

Record Number: 7381
Source Name: Service Control Manager
Time Written: 20090112074045.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: ACER-AD993BA82B
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.

Record Number: 7380
Source Name: Service Control Manager
Time Written: 20090112074044.000000-300
Event Type: information
User:

Application event log

Computer Name: ACER-AD993BA82B
Event Code: 1
Message:
Record Number: 1738
Source Name: avg8emc
Time Written: 20080902124112.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 4
Message: The LightScribe Service started successfully.

Record Number: 1737
Source Name: LightScribeService
Time Written: 20080902124105.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 0
Message: Service started successfully.

Record Number: 1736
Source Name: AcerMemUsageCheckService
Time Written: 20080902124058.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 1735
Source Name: SecurityCenter
Time Written: 20080902080304.000000-240
Event Type: information
User:

Computer Name: ACER-AD993BA82B
Event Code: 32068
Message: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Record Number: 1734
Source Name: Microsoft Fax
Time Written: 20080902080300.000000-240
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\MATLAB\bin\win32;;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32\wbem;
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
 
Hi :)

This computer is a little over a year old and I bought it new. The computer never belonged to a business.
Click to expand...
Fine :bigthumb:

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Disable LockServ:

We need to this otherwise it will interfere with the malware removal process.

  • Open Notepad.
  • Copy and Paste everything from the Code Box below into Notepad: <-- Start >> Run... type in notepad and select OK
Code: 
@Echo Off
SC Stop LockServ
SC Config LockServ start= disabled
Del %0
  • Go to File >> Save As
  • Save File name as "Disable.bat" <-- Make sure to include the quotes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this:
    Disable.gif

Now double click on the desktop Disable.bat to run the batch file. It will self-delete when completed.

Then Reboot(restart) your computer.

Note: We will re-enable this when I give the all clear.

Next:

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule

Please uninstall this as per the Safer Networking guidelines outlined here.


Next:

Please download Malwarebytes' Anti-Malware to your desktop.

Alternate download link.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Next:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms and or problems encountered?
  • Malwarebytes' Anti-Malware Log.
  • ComboFix Log.
  • A new HijackThis Log.
 
Working good so far thanks and should I always use Malwarebytes' Anti-Malware since it found more malware than spybot?



Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 3

2/19/2009 8:48:18 AM
mbam-log-2009-02-19 (08-48-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 225263
Time elapsed: 40 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnlkJYs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pkuhtrym.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gseilp.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8081657c-6027-4b63-8523-60970a92c3c8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ebe308ca-ff78-474c-9e65-6b5ba3028b05} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cdabd9a (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlkjys -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnlkjys -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\Adult.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\ (Hijack.Tray) -> Bad: (C:\DOCUME~1\Divilov\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gseilp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nnnlkJYs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sYJklnnn.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sYJklnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pkuhtrym.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\myrthukp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\99PAU0I4\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\winsinstall[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\N78JDJ8G\apstpldr.dll[3].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\ZY4W780C\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Divilov\Local Settings\Temporary Internet Files\Content.IE5\ZY4W780C\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP302\A0100044.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP303\A0100941.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP303\A0100942.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP304\A0102332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP304\A0102378.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP305\A0102574.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP305\A0102624.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP307\A0102874.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP307\A0102875.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efqpnc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frsvxa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gptgevuh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfFULcC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcantqbt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJDSLff.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nfdentsu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nsavdfgo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onfxaw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owrbqmpl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qobmpsce.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpgjultp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIyYoO.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryyrqjuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\srymmm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uuyijq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wfhyei.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgpibs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuenmi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwqawlhb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdxhtgj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




ComboFix 09-02-18.01 - Divilov 2009-02-19 8:58:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1498 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cLkjkUtv.ini
c:\windows\system32\fnccllap.ini
c:\windows\system32\ftnniuew.ini
c:\windows\system32\ieltenth.ini
c:\windows\system32\jxxfip.dll
c:\windows\system32\lVwaccdd.ini
c:\windows\system32\nyksqvsb.ini
c:\windows\system32\qdvwfvgm.ini
c:\windows\system32\uspkqrhi.ini
c:\windows\system32\xfiffqoe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 07:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 07:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 16:40 . 2009-02-15 16:41 <DIR> d-------- c:\program files\ERUNT
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll
2009-01-22 20:17 . 2009-01-22 20:17 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 03:18 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-18 14:56 --------- d-----w c:\program files\JDown
2009-02-18 01:34 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 19:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-14 20:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gseilp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-06-08 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-06-06 90112]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
S3 XDva072;XDva072;\??\c:\windows\system32\XDva072.sys --> c:\windows\system32\XDva072.sys [?]
S3 XDva074;XDva074;\??\c:\windows\system32\XDva074.sys --> c:\windows\system32\XDva074.sys [?]
S3 XDva123;XDva123;\??\c:\windows\system32\XDva123.sys --> c:\windows\system32\XDva123.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5C4854EE-B927-4E42-8993-761FCC84DE9C} - (no file)
Notify-hgGabBtq - hgGabBtq.dll
Notify-qoMdDwUl - qoMdDwUl.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 09:01:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:86,43,47,e4,cc,9f,cb,15,21,3b,27,e1,7a,44,c1,81,4f,33,54,1d,a5,
4d,7b,86,33,13,b3,0b,19,0b,de,64,1e,da,d5,93,27,96,0c,2f,97,b9,65,03,1f,4c,\
"rkeysecu"=hex:09,98,37,69,d4,01,de,09,79,c4,c0,25,15,5a,fb,bb

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\pmkofuao.dll"
"ThreadingModel"="free"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\utdrwe.dll"
"ThreadingModel"="free"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Empowering Technology\eLock\LockServ.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\windows\system32\nvsvc32.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\PnkBstrA.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-19 9:04:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-19 14:04:33

Pre-Run: 42,520,207,360 bytes free
Post-Run: 42,817,437,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
261 --- E O F --- 2009-02-12 02:33:53





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:38 AM, on 2/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: gseilp.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6809 bytes
 
Hi,

I have bad news I'm afraid :sad:

One or more of the identified infections is a severe Rootkit.Agent

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords. In fact it will most likely will never be secure again.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
 
First off didn't you disable LockServ, am I suppose to turn it back on???

And I would like to try to remove the rootkit
 
Hi :)

OK here is the situation as I see it. I will respect your decision for a attempted malware removal but I will emphasis that I give no guarantee that your computer will ever again be deemed not a online security risk.

I highly suggest you think further upon this and the possible ramifications I out-lined in my last post. Neither I or Safer Networking will be held accountable if at some point in the future the worst case scenario occurs as I have gave both my advice and warning to try and educate your good self about the serious nature of this malware infection.

Next:

First off didn't you disable LockServ, am I suppose to turn it back on???
Click to expand...
At this time it appears the aforementioned application is not fully disabled and will still hinder anything I ask you to do. Plus actually this application is not particularly good at all at what it claims to do. Also upon advice from a colleague of mine who is a well respected individual within the Anti-Malware community plus a Microsoft MVP, the best course of action is to actually uninstall this fully as follows:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Acer eLock Management(LockServ)

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Next:

Please re-download ComboFix, if prompted with ComboFix.exe already exists, allow it to download and replace the existing exe file:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    For your particular installed application read >>here<<. Please make you do this as last time ComboFix was run your Eset Smart Security was active. If you do not understand fully how to temporally disable, stop straight away any further actions! and inform myself and I will provide advice how to do so.

  • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

When completed the above, please post back the following in the order asked for:

  • Any problems encountered and or further symptoms at all ?
  • ComboFix Log.
  • A new HijackThis Log.
 
no problems or symptoms.



ComboFix 09-02-19.01 - Divilov 2009-02-21 9:52:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1591 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Outdated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-20 23:34 . 2009-02-20 23:41 <DIR> d-------- c:\program files\Garena
2009-02-20 23:30 . 2009-02-20 23:30 <DIR> d-------- C:\VertigoGames
2009-02-20 18:42 . 2009-02-20 18:42 <DIR> d-------- C:\CrashReport
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-02-19 22:45 . 2009-02-19 22:46 <DIR> d-------- c:\windows\LastGood
2009-02-19 07:54 . 2009-02-19 09:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll
2009-01-22 20:17 . 2009-01-22 20:17 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:28 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-20 03:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 23:33 --------- d-----w c:\program files\JDown
2009-02-19 14:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 15:07 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-12 15:07 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 202,032 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-23 06:01 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-23 06:01 2,337,865 ----a-w c:\windows\system32\pbsvc.exe
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-14 04:38 2,855 ----a-w c:\windows\PIF\Gothic2-Setup.PIF
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-19_ 9.03.50.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-20 03:46:23 155,648 ----a-w c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP\WiseCustomCalla.dll
- 2009-02-07 00:16:23 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-02-20 03:45:35 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2009-02-07 00:16:23 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2009-02-20 03:45:36 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2009-02-07 00:16:24 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-02-20 03:45:36 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2009-02-07 00:16:18 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:31 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:19 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:32 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:32 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:20 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:21 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:33 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:22 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:34 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:24 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-20 03:45:36 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-07 00:16:24 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2009-02-20 03:45:36 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2009-02-07 00:16:24 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2009-02-20 03:45:36 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2009-02-07 00:16:25 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2009-02-20 03:45:37 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2009-02-07 00:16:25 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2009-02-20 03:45:37 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2009-02-07 00:16:23 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-02-20 03:45:35 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-03-12 21:42:30 1,123,696 ----a-w c:\windows\LastGood\system32\D3DCompiler_33.dll
+ 2007-05-16 21:45:16 1,124,720 ----a-w c:\windows\LastGood\system32\D3DCompiler_34.dll
+ 2007-07-19 23:14:42 1,358,192 ----a-w c:\windows\LastGood\system32\D3DCompiler_35.dll
+ 2007-10-12 20:14:00 1,374,232 ----a-w c:\windows\LastGood\system32\D3DCompiler_36.dll
+ 2008-03-05 20:56:58 1,420,824 ----a-w c:\windows\LastGood\system32\D3DCompiler_37.dll
+ 2008-05-30 19:11:46 1,491,992 ----a-w c:\windows\LastGood\system32\D3DCompiler_38.dll
+ 2008-07-10 16:00:58 1,493,528 ----a-w c:\windows\LastGood\system32\D3DCompiler_39.dll
+ 2007-03-15 21:57:58 443,752 ----a-w c:\windows\LastGood\system32\d3dx10_33.dll
+ 2007-05-16 21:45:16 443,752 ----a-w c:\windows\LastGood\system32\d3dx10_34.dll
+ 2007-07-19 23:14:42 444,776 ----a-w c:\windows\LastGood\system32\d3dx10_35.dll
+ 2007-10-02 14:56:34 444,776 ----a-w c:\windows\LastGood\system32\d3dx10_36.dll
+ 2008-02-06 04:07:36 462,864 ----a-w c:\windows\LastGood\system32\d3dx10_37.dll
+ 2008-05-30 19:11:46 467,984 ----a-w c:\windows\LastGood\system32\d3dx10_38.dll
+ 2008-07-10 16:01:00 467,984 ----a-w c:\windows\LastGood\system32\d3dx10_39.dll
+ 2005-02-06 00:45:26 2,222,800 ----a-w c:\windows\LastGood\system32\d3dx9_24.dll
+ 2005-03-18 22:19:58 2,337,488 ----a-w c:\windows\LastGood\system32\d3dx9_25.dll
+ 2005-05-26 20:34:52 2,297,552 ----a-w c:\windows\LastGood\system32\d3dx9_26.dll
+ 2005-07-23 00:59:04 2,319,568 ----a-w c:\windows\LastGood\system32\d3dx9_27.dll
+ 2005-12-05 23:09:18 2,323,664 ----a-w c:\windows\LastGood\system32\d3dx9_28.dll
+ 2006-02-03 13:43:16 2,332,368 ----a-w c:\windows\LastGood\system32\d3dx9_29.dll
+ 2006-03-31 17:40:58 2,388,176 ----a-w c:\windows\LastGood\system32\d3dx9_30.dll
+ 2006-09-28 21:05:20 2,414,360 ----a-w c:\windows\LastGood\system32\d3dx9_31.dll
+ 2006-11-29 18:06:18 3,426,072 ----a-w c:\windows\LastGood\system32\d3dx9_32.dll
+ 2007-03-12 21:42:30 3,495,784 ----a-w c:\windows\LastGood\system32\d3dx9_33.dll
+ 2007-05-16 21:45:16 3,497,832 ----a-w c:\windows\LastGood\system32\d3dx9_34.dll
+ 2007-07-19 23:14:42 3,727,720 ----a-w c:\windows\LastGood\system32\d3dx9_35.dll
+ 2007-10-12 20:14:00 3,734,536 ----a-w c:\windows\LastGood\system32\d3dx9_36.dll
+ 2008-03-05 20:56:58 3,786,760 ----a-w c:\windows\LastGood\system32\D3DX9_37.dll
+ 2008-05-30 19:11:46 3,850,760 ----a-w c:\windows\LastGood\system32\D3DX9_38.dll
+ 2008-07-10 16:00:58 3,851,784 ----a-w c:\windows\LastGood\system32\D3DX9_39.dll
+ 2006-02-03 13:41:26 14,032 ----a-w c:\windows\LastGood\system32\x3daudio1_0.dll
+ 2007-03-05 17:42:18 15,128 ----a-w c:\windows\LastGood\system32\x3daudio1_1.dll
+ 2007-10-22 08:37:16 17,928 ----a-w c:\windows\LastGood\system32\x3daudio1_2.dll
+ 2008-03-05 21:00:06 25,608 ----a-w c:\windows\LastGood\system32\X3DAudio1_3.dll
+ 2008-05-30 19:17:00 25,608 ----a-w c:\windows\LastGood\system32\X3DAudio1_4.dll
+ 2006-02-03 13:42:06 230,096 ----a-w c:\windows\LastGood\system32\xactengine2_0.dll
+ 2006-03-31 17:39:48 229,584 ----a-w c:\windows\LastGood\system32\xactengine2_1.dll
+ 2007-10-22 08:39:54 267,272 ----a-w c:\windows\LastGood\system32\xactengine2_10.dll
+ 2006-05-31 12:24:16 230,168 ----a-w c:\windows\LastGood\system32\xactengine2_2.dll
+ 2006-07-28 14:30:32 236,824 ----a-w c:\windows\LastGood\system32\xactengine2_3.dll
+ 2006-09-28 21:05:56 237,848 ----a-w c:\windows\LastGood\system32\xactengine2_4.dll
+ 2006-12-08 17:02:00 251,672 ----a-w c:\windows\LastGood\system32\xactengine2_5.dll
+ 2007-01-24 20:27:30 255,848 ----a-w c:\windows\LastGood\system32\xactengine2_6.dll
+ 2007-04-04 23:55:00 261,480 ----a-w c:\windows\LastGood\system32\xactengine2_7.dll
+ 2007-06-21 01:46:04 266,088 ----a-w c:\windows\LastGood\system32\xactengine2_8.dll
+ 2007-07-20 05:57:12 267,112 ----a-w c:\windows\LastGood\system32\xactengine2_9.dll
+ 2008-03-05 21:03:20 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_0.dll
+ 2008-05-30 19:18:52 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_1.dll
+ 2008-07-30 11:20:54 238,088 ----a-w c:\windows\LastGood\system32\xactengine3_2.dll
+ 2008-05-30 19:17:30 65,032 ----a-w c:\windows\LastGood\system32\XAPOFX1_0.dll
+ 2008-07-30 11:20:56 68,616 ----a-w c:\windows\LastGood\system32\XAPOFX1_1.dll
+ 2008-03-05 21:03:54 479,752 ----a-w c:\windows\LastGood\system32\XAudio2_0.dll
+ 2008-05-30 19:19:18 507,400 ----a-w c:\windows\LastGood\system32\XAudio2_1.dll
+ 2008-07-30 11:20:56 509,448 ----a-w c:\windows\LastGood\system32\XAudio2_2.dll
+ 2006-03-31 17:39:24 62,672 ----a-w c:\windows\LastGood\system32\xinput1_1.dll
+ 2006-07-28 14:30:14 62,744 ----a-w c:\windows\LastGood\system32\xinput1_2.dll
+ 2007-04-04 23:53:42 81,768 ----a-w c:\windows\LastGood\system32\xinput1_3.dll
+ 2005-12-05 23:07:30 61,136 ----a-w c:\windows\LastGood\system32\xinput9_1_0.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gseilp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\VertigoGames\\Game\\BlackShot\\Blackshot\\system\\BlackShot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
R4 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
R4 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
S3 XDva072;XDva072;\??\c:\windows\system32\XDva072.sys --> c:\windows\system32\XDva072.sys [?]
S3 XDva074;XDva074;\??\c:\windows\system32\XDva074.sys --> c:\windows\system32\XDva074.sys [?]
S3 XDva123;XDva123;\??\c:\windows\system32\XDva123.sys --> c:\windows\system32\XDva123.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GARENAPENGINE
*Deregistered* - GarenaPEngine
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 09:53:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:0000000e
"Time"=hex:d9,07,01,00,05,00,1e,00,13,00,12,00,32,00,8c,00

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\pmkofuao.dll"
"ThreadingModel"="free"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\utdrwe.dll"
"ThreadingModel"="free"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-21 9:55:03
ComboFix-quarantined-files.txt 2009-02-21 14:55:00
ComboFix2.txt 2009-02-19 14:04:37

Pre-Run: 40,410,554,368 bytes free
Post-Run: 40,410,533,888 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
332 --- E O F --- 2009-02-12 02:33:53





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:10 AM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: gseilp.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6698 bytes
 
Hi :)

no problems or symptoms.
Click to expand...
Fine, thank you for informing myself.

In-case not aware your installed Eset Smart Security is reporting it is out of date. Please check for any updates and download them etc.

Remove Norton Anti-Virus remnants:

Please click HERE and follow the instructions to download and run the norton removal tool for the version you had installed.

Note: If not sure which version and or unable to download, inform myself in your next reply and we will deal with this manually.

Or try this version.

Next:

Download SREng

  • Extract it to Desktop and double click SREngLdr.exe to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

    SystemRepair_FileAssocs.gif
  • In your case, it is is both .REG and .SCR
  • Close SREng now.
COMBOFIX-Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    KILLALL::

File::
c:\windows\PIF\Gothic2-Setup.PIF
C:\WINDOWS\system32\gseilp.dll
c:\windows\system32\drivers\vgykyaks.sys
c:\windows\system32\drivers\waxkxrih.sys
c:\windows\system32\drivers\ownjyxnr.sys 
c:\windows\system32\XDva072.sys
c:\windows\system32\XDva074.sys
c:\windows\system32\XDva123.sys
c:\windows\system32\XDva214.sys
c:\WINDOWS\system32\pmkofuao.dll
c:\WINDOWS\\system32\utdrwe.dll

Driver::
vgykyaks
waxkxrih
ownjyxnr
XDva072
XDva074
XDva123
XDva214

REGLOCK::
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="" 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\Program Files\uTorrent\uTorrent.exe"=-
[-HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{05DE4A07-7606-4756-9155-8C1842F82FDD}\iexplore]
[-HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60A61E22-CD13-4E25-B619-57268FF9658D}\iexplore]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05de4a07-7606-4756-9155-8c1842f82fdd}\InprocServer32]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{60a61e22-cd13-4e25-b619-57268ff9658d}\InprocServer32]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When completed the above, please post back the following in the order asked for:
  • Any problems encountered and or further symptoms at all ?
  • ComboFix Log.
  • A new HijackThis Log.
 
Hi :)

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
 
Hi :)

I apoligise about the link I posted not working. What you have done is fine :bigthumb:

Please carry on with the rest of my posted instructions from:
COMBOFIX-Script:
Click to expand...
 
No problems or symptoms


ComboFix 09-02-24.02 - Divilov 2009-02-25 12:58:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1490 [GMT -5:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Divilov\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\\system32\utdrwe.dll
c:\windows\PIF\Gothic2-Setup.PIF
c:\windows\system32\drivers\ownjyxnr.sys
c:\windows\system32\drivers\vgykyaks.sys
c:\windows\system32\drivers\waxkxrih.sys
c:\windows\system32\gseilp.dll
c:\windows\system32\pmkofuao.dll
c:\windows\system32\XDva072.sys
c:\windows\system32\XDva074.sys
c:\windows\system32\XDva123.sys
c:\windows\system32\XDva214.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\PIF\Gothic2-Setup.PIF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA072
-------\Legacy_XDVA074
-------\Legacy_XDVA123
-------\Legacy_XDVA214
-------\Service_XDva072
-------\Service_XDva074
-------\Service_XDva123
-------\Service_XDva214


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 14:36 . 2009-02-24 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-24 14:31 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 16:29 . 2009-02-21 16:29 <DIR> d-------- c:\program files\G4box
2009-02-20 23:34 . 2009-02-23 19:32 <DIR> d-------- c:\program files\Garena
2009-02-20 23:30 . 2009-02-20 23:30 <DIR> d-------- C:\VertigoGames
2009-02-20 18:42 . 2009-02-20 18:42 <DIR> d-------- C:\CrashReport
2009-02-19 22:46 . 2009-02-19 22:46 <DIR> d-------- c:\windows\A7E07C2B2220441587E3784D5814BC93.TMP
2009-02-19 07:54 . 2009-02-19 07:54 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-19 00:14 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-02-18 10:08 . 2009-02-18 10:09 <DIR> d-------- C:\rsit
2009-02-18 10:07 . 2009-02-18 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-15 13:50 . 2009-02-15 13:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-14 11:40 . 2009-02-14 11:40 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Boomzap
2009-02-14 09:40 . 2009-02-14 09:40 <DIR> d-------- c:\program files\MSECache
2009-02-14 09:37 . 2001-10-29 01:42 116,224 --a------ c:\windows\system32\pdfmonnt.dll
2009-02-14 09:35 . 2009-02-14 09:35 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Bullzip
2009-02-13 18:50 . 2009-02-17 20:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Dark Sector
2009-02-13 09:40 . 2009-01-01 14:06 8,192 --a------ c:\windows\system32\drivers\FStarForce.sys
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\program files\Spiderweb Software
2009-02-12 20:28 . 2009-02-12 20:28 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Downloaded Installations
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenSeven
2009-02-12 10:07 . 2009-02-12 10:07 <DIR> d-------- c:\program files\OpenAL
2009-02-10 20:07 . 2009-02-10 20:19 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Crayon Physics Deluxe
2009-02-10 18:41 . 2009-02-15 14:03 95 --a------ c:\windows\WININIT.INI
2009-02-09 11:10 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-02-09 11:10 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-02-08 22:14 . 2009-02-08 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\STDUConverter
2009-02-08 21:57 . 2009-02-08 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreePDF_XP
2009-02-08 19:19 . 2009-02-08 19:19 <DIR> d-------- c:\program files\Xfire
2009-02-08 19:19 . 2009-02-08 20:47 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Xfire
2009-02-06 19:17 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2009-02-06 19:17 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2009-02-06 19:16 . 2008-07-12 08:18 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-02-06 19:16 . 2008-07-12 08:18 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2009-02-06 19:16 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-02-06 19:16 . 2008-07-31 10:40 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-02-06 19:16 . 2008-07-12 08:18 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2009-02-06 19:16 . 2008-07-31 10:41 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2009-02-06 19:16 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2009-02-06 19:16 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-02-06 19:16 . 2008-07-31 10:41 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-02-06 19:16 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-02-04 17:48 . 2009-02-04 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-03 22:57 . 2009-02-03 22:57 <DIR> d-------- C:\CFLog
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\windows\system32\AGEIA
2009-02-03 17:17 . 2009-02-03 17:17 <DIR> d-------- c:\program files\AGEIA Technologies
2009-02-01 12:20 . 2009-02-01 12:20 <DIR> d--h----- C:\BJPrinter
2009-02-01 12:20 . 2004-04-23 12:00 116,736 --a------ c:\windows\system32\CNMLM5y.DLL
2009-02-01 12:20 . 2004-04-23 12:00 7,680 --a------ c:\windows\system32\CNMVS5y.DLL
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-01 12:17 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-01 09:54 . 2009-02-10 18:34 <DIR> d-------- c:\program files\DOSBox-0.70
2009-01-30 14:30 . 2009-01-30 14:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\MathWorks
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\ESET
2009-01-30 14:28 . 2009-01-30 14:28 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Avocent AdminWorks
2009-01-30 00:34 . 2009-01-30 00:34 <DIR> d-------- c:\documents and settings\Divilov\Application Data\Eltima Software
2009-01-30 00:33 . 2009-01-30 00:33 <DIR> d-------- c:\program files\Eltima Software
2009-01-26 13:39 . 2008-06-28 00:43 430,080 --a------ c:\windows\system32\cmcs21.ocx
2009-01-26 13:39 . 2008-06-28 00:43 224,016 --a------ c:\windows\system32\tabctl32.ocx
2009-01-26 13:39 . 2003-09-23 00:00 109,248 --a------ c:\windows\system32\MSWINSCK.OCX
2009-01-26 13:39 . 2008-06-28 00:43 103,744 --a------ c:\windows\system32\mscomm32.ocx
2009-01-26 13:39 . 2008-06-28 00:43 53,248 --a------ c:\windows\system32\zlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 14:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 16:28 --------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-02-20 03:46 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 23:33 --------- d-----w c:\program files\JDown
2009-02-19 14:15 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-15 19:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 22:34 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-07 02:37 --------- d-----w c:\program files\Trillian
2009-01-26 17:27 137,824 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-23 06:02 22,328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-15 01:12 --------- d-----w c:\documents and settings\Divilov\Application Data\The Longest Journey
2009-01-14 18:54 --------- d-----w c:\program files\Funcom
2009-01-13 05:46 --------- d-----w c:\documents and settings\Divilov\Application Data\GetRightToGo
2009-01-02 17:32 --------- d-----w c:\documents and settings\Divilov\Application Data\EternalEden
2008-12-30 01:09 --------- d-----w c:\documents and settings\Divilov\Application Data\TeamViewer
2008-08-31 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-02-21_ 9.54.14.77 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-12-10 12:28:03 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-02-25 17:38:47 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\VertigoGames\\Game\\BlackShot\\Blackshot\\system\\BlackShot.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-12 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-08 10944]
S0 gqytvjjg;gqytvjjg;c:\windows\system32\drivers\vgykyaks.sys --> c:\windows\system32\drivers\vgykyaks.sys [?]
S0 kaojuupk;kaojuupk;c:\windows\system32\drivers\waxkxrih.sys --> c:\windows\system32\drivers\waxkxrih.sys [?]
S0 uiwusira;uiwusira;c:\windows\system32\drivers\ownjyxnr.sys --> c:\windows\system32\drivers\ownjyxnr.sys [?]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-02-13 8192]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 13:01:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\nvsvc32.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-25 13:04:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 18:04:51
ComboFix2.txt 2009-02-21 14:55:04
ComboFix3.txt 2009-02-19 14:04:37

Pre-Run: 40,804,110,336 bytes free
Post-Run: 40,823,533,568 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
254 --- E O F --- 2009-02-24 23:48:30




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:44 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Divilov\My Documents\DP\New Folder\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6444 bytes
 
Hi :)

No problems or symptoms
Click to expand...
OK it may appear so but I assure you your computer is far from being malware free and undoubtedly never will be. I have trained for a very long time in the IT field of Anti-Malware to get to the point were I am able to assist individuals such as your good self. Saying that I still strongly advice a Re-Format & Re-Installation of the Operating System is the course of action to do!

In-Depth Rootkit Scan:

Download GMER and extract it to your desktop.

***Please close any open programs ***

  • Now right click on gmer.exe and choose the option Rename , rename it Dakeyras please.
  • Now double-click Dakeyras.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER/Dakeyras will produce a log. Click on the Save button, and save the log as dakeyras.txt somewhere you can easily find it, such as your desktop.
  • If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER/Dakeyras will produce a log.
  • Click on the Save button, and save the log as Dakeyras.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER/Dakeyras scan in your reply.

Next:

Please download ISeeYouXP.zip by ShadowPuterDude, to your Desktop.

  • Then extract the files from the ZIP.
  • Locate the ISeeYouXP.bat file and double click on it to run it.
  • It will create a file named ISeeYou.txt in the root of drive C: (C:\ISeeYou.txt) .
  • This log will also popup in a notepad window which your can just close. Upload the ISeeYou.txt file here as an attachment.
Note: If you get an error similar to the below when running GetRunKey.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS.

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix
For Windows 2000: download and run:W2KFix

Then run ISeeYouXP.bat again and post the log.

The log can get quite long, which is the reason I would like you to attach the file.

When completed the above, please post back the following in the order asked for(individual posts may be best):

  • Dakeyras.txt.
  • ISeeYou.txt
  • A new HijackThis Log.
 
You must log in or register to reply here.
Back
Top