BleepingComputer.com: I think im infected

Referred from: http://www.bleepingcomputer.com/forums/topic237085.html ~ OB

I let my older brother use my laptop and now its been acting weird. I think it might be infected some how. Would love to clean it out please.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Homie at 10:37:30.61 on Fri 07/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.873 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Homie\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Homie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [DriverMax]
uRun: [cdloader] "c:\documents and settings\homie\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Google Update] "c:\documents and settings\homie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AtiPTA] atiptaxx.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe
dRun: [Eyeball Chat] "c:\program files\eyeball networks\eyeball chat\EyeballChat.exe" -min
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 11.5.0.1145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.17.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-13 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-13 727720]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-06-30 19:35 <DIR> --d----- C:\mbam&sas
2009-06-30 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-30 14:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-30 14:21 <DIR> --d----- c:\docume~1\homie\applic~1\SUPERAntiSpyware.com
2009-06-29 16:11 <DIR> --d----- c:\program files\Eyeball Networks
2009-06-29 15:11 138,520 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-29 15:11 189,640 a------- c:\windows\system32\PnkBstrB.exe
2009-06-29 15:11 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-29 14:21 <DIR> --d----- c:\windows\pss
2009-06-29 14:00 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 14:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 14:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 12:21 <DIR> --d----- c:\docume~1\homie\applic~1\Malwarebytes
2009-06-28 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 12:23 1,115 a------- c:\windows\system32\hjgruiqlivcqea.dat
2009-06-26 22:37 <DIR> --d----- c:\program files\Sony
2009-06-26 22:34 <DIR> --d----- c:\program files\Sony Setup
2009-06-26 16:12 <DIR> --d----- c:\program files\Trojan Remover
2009-06-26 16:10 <DIR> --d----- c:\docume~1\homie\applic~1\Simply Super Software
2009-06-26 15:27 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-06-26 15:27 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-06-26 15:27 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-06-26 15:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-06-26 15:05 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-06-26 15:05 75,264 a------- c:\windows\system32\unacev2.dll
2009-06-23 15:54 189,640 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-23 15:13 139,152 a------- c:\docume~1\homie\applic~1\PnkBstrK.sys
2009-06-23 15:13 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-23 12:50 <DIR> --d----- c:\program files\EA Games
2009-06-21 21:19 <DIR> --d----- c:\program files\DVD Shrink
2009-06-21 18:23 334,031 a------- c:\windows\id and face.jpg
2009-06-21 13:24 <DIR> --d----- c:\docume~1\homie\applic~1\VTExtra
2009-06-19 21:59 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-11 23:21 3,120 a------- c:\windows\system32\32985ae5-e1a2-444b-a036-f62f31304442.dll
2009-06-11 23:21 3,120 a------- c:\windows\3ed56251-224a-4256-a485-b694a866e00c.ocx
2009-06-11 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\StormPredator
2009-06-11 23:19 <DIR> --d----- c:\windows\StormPredator
2009-06-11 23:19 <DIR> --d----- c:\program files\StormPredator
2009-06-11 23:17 <DIR> --d----- c:\program files\common files\MF
2009-06-10 18:21 <DIR> --d----- c:\program files\Drug Lord 2
2009-06-10 12:09 <DIR> --d----- c:\program files\TeamViewer
2009-06-10 12:05 <DIR> --d----- c:\docume~1\homie\applic~1\TeamViewer
2009-06-10 12:04 <DIR> --d----- c:\documents and settings\homie\temp
2009-06-10 07:16 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-10 07:16 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-10 07:16 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-10 07:16 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-10 07:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-10 07:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-10 07:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-10 07:16 <DIR> --d----- C:\dd3adf4e91f3fa7d16d4510970bf
2009-06-10 01:11 2,796,878 a------- c:\windows\system32\GameMon.des
2009-06-10 01:11 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-06-10 01:11 4,682 a------- c:\windows\system32\npptNT2.sys
2009-06-10 01:10 <DIR> --d----- c:\program files\common files\INCA Shared
2009-06-09 23:35 <DIR> --d----- C:\ijji
2009-06-09 23:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ijjigame
2009-06-09 23:33 157,152 a------- c:\windows\system32\PubPlugin.dll
2009-06-09 23:33 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2009-06-09 23:33 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-06-09 23:33 58,800 a------- c:\windows\system32\ijjiProcessRestarter.exe
2009-06-09 23:33 <DIR> --d----- c:\program files\NHN USA
2009-06-09 01:07 <DIR> --d----- c:\program files\ClubWPT
2009-06-09 00:08 <DIR> --d----- c:\docume~1\homie\applic~1\EyeballChatAvatars
2009-06-09 00:05 <DIR> --d----- c:\docume~1\homie\applic~1\EyeballChatUserData
2009-06-09 00:01 <DIR> --d----- C:\Games
2009-06-08 21:43 <DIR> --d----- C:\majicjack contacts backup
2009-06-07 21:38 <DIR> --d----- C:\Nexon
2009-06-07 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonUS
2009-06-07 19:38 <DIR> --d----- c:\program files\Pando Networks
2009-06-05 13:36 <DIR> --d----- c:\docume~1\homie\applic~1\tor
2009-06-05 13:26 <DIR> --d----- c:\program files\Vidalia Bundle

==================== Find3M ====================

2009-06-21 22:49 34 a------- c:\documents and settings\homie\jagex_runescape_preferences.dat
2009-05-30 00:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 00:26 90,112 a------- c:\windows\DUMP4853.tmp
2009-05-22 14:42 90,112 a------- c:\windows\DUMP513c.tmp
2009-05-19 13:25 90,112 a------- c:\windows\DUMP60cd.tmp
2009-05-15 04:23 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-15 00:20 472,576 a------- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-05-14 21:44 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 05:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-28 05:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:37:54.84 ===============

Hello and to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.
-----------------------------------------------------------
We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Kind regards
Net_Surfer

DDS (Ver_09-06-26.01) - NTFSx86
Run by Homie at 3:13:02.73 on Fri 07/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.843 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Homie\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Homie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [DriverMax]
uRun: [cdloader] "c:\documents and settings\homie\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Google Update] "c:\documents and settings\homie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AtiPTA] atiptaxx.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Eyeball Chat] "c:\program files\eyeball networks\eyeball chat\EyeballChat.exe" -min
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 11.5.0.1145
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.17.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\homie\applic~1\mozilla\firefox\profiles\l83aqo37.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=13&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\homie\application data\mozilla\firefox\profiles\l83aqo37.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\homie\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\homie\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-13 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-13 727720]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-07 15:06 <DIR> --d----- c:\docume~1\homie\applic~1\ManyCam
2009-07-07 15:06 <DIR> --d----- c:\program files\ManyCam 2.4
2009-07-05 23:03 <DIR> --d----- c:\docume~1\homie\applic~1\MPEG Streamclip
2009-07-04 11:43 <DIR> --d----- c:\program files\PartyGaming
2009-07-03 12:42 <DIR> --d----- c:\program files\VSTplugins
2009-06-30 19:35 <DIR> --d----- C:\mbam&sas
2009-06-30 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-30 14:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-30 14:21 <DIR> --d----- c:\docume~1\homie\applic~1\SUPERAntiSpyware.com
2009-06-29 16:11 <DIR> --d----- c:\program files\Eyeball Networks
2009-06-29 15:11 138,520 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-29 15:11 189,640 a------- c:\windows\system32\PnkBstrB.exe
2009-06-29 15:11 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-29 14:21 <DIR> --d----- c:\windows\pss
2009-06-29 14:00 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 14:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 14:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 12:21 <DIR> --d----- c:\docume~1\homie\applic~1\Malwarebytes
2009-06-28 12:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 12:23 1,115 a------- c:\windows\system32\hjgruiqlivcqea.dat
2009-06-26 16:12 <DIR> --d----- c:\program files\Trojan Remover
2009-06-26 16:10 <DIR> --d----- c:\docume~1\homie\applic~1\Simply Super Software
2009-06-26 15:27 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-06-26 15:27 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-06-26 15:27 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-06-26 15:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-06-26 15:05 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-06-26 15:05 75,264 a------- c:\windows\system32\unacev2.dll
2009-06-23 15:54 189,640 a------- c:\windows\system32\PnkBstrB.xtr
2009-06-23 15:13 139,152 a------- c:\docume~1\homie\applic~1\PnkBstrK.sys
2009-06-23 15:13 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-23 12:50 <DIR> --d----- c:\program files\EA Games
2009-06-21 21:19 <DIR> --d----- c:\program files\DVD Shrink
2009-06-21 18:23 334,031 a------- c:\windows\id and face.jpg
2009-06-21 13:24 <DIR> --d----- c:\docume~1\homie\applic~1\VTExtra
2009-06-19 21:59 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-11 23:21 3,120 a------- c:\windows\system32\32985ae5-e1a2-444b-a036-f62f31304442.dll
2009-06-11 23:21 3,120 a------- c:\windows\3ed56251-224a-4256-a485-b694a866e00c.ocx
2009-06-11 23:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\StormPredator
2009-06-11 23:19 <DIR> --d----- c:\windows\StormPredator
2009-06-11 23:19 <DIR> --d----- c:\program files\StormPredator
2009-06-11 23:17 <DIR> --d----- c:\program files\common files\MF
2009-06-10 18:21 <DIR> --d----- c:\program files\Drug Lord 2
2009-06-10 12:09 <DIR> --d----- c:\program files\TeamViewer
2009-06-10 12:05 <DIR> --d----- c:\docume~1\homie\applic~1\TeamViewer
2009-06-10 12:04 <DIR> --d----- c:\documents and settings\homie\temp
2009-06-10 07:16 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-10 07:16 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-10 07:16 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-10 07:16 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-10 07:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-10 07:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-10 07:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-10 07:16 <DIR> --d----- C:\dd3adf4e91f3fa7d16d4510970bf

==================== Find3M ====================

2009-07-04 09:06 34 a------- c:\documents and settings\homie\jagex_runescape_preferences.dat
2009-05-30 00:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 00:26 90,112 a------- c:\windows\DUMP4853.tmp
2009-05-26 17:31 58,800 a------- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-22 14:42 90,112 a------- c:\windows\DUMP513c.tmp
2009-05-19 13:25 90,112 a------- c:\windows\DUMP60cd.tmp
2009-05-15 04:23 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-15 00:20 472,576 a------- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-05-14 21:44 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-12 20:48 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 05:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-28 05:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 3:13:26.04 ===============

Hi snouk,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already.
  
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

---------------------------------------------------------------------------------------------

Your PC is well infected based on your other thread with Garmanma.

Please do the following.

Please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware
  
• GeeksToGo

* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

ComboFix 09-07-09.08 - Homie 07/11/2009 18:13.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.927 [GMT -4:00]
Running from: c:\documents and settings\Homie\Desktop\Combo-Fix.exe.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\3ed56251-224a-4256-a485-b694a866e00c.ocx
c:\windows\Downloaded Program Files\PurpleBean.exe
c:\windows\Installer\17be3d.msp
c:\windows\Installer\17be3e.msp
c:\windows\Installer\17be3f.msp
c:\windows\Installer\17be40.msp
c:\windows\Installer\17be41.msp
c:\windows\Installer\17be42.msp
c:\windows\Installer\17be43.msp
c:\windows\Installer\17be44.msp
c:\windows\Installer\17be45.msp
c:\windows\Installer\1ab99c.msp
c:\windows\Installer\1ab99d.msp
c:\windows\Installer\1ab99e.msp
c:\windows\Installer\1ab99f.msp
c:\windows\Installer\1ab9a0.msp
c:\windows\Installer\1ab9a1.msp
c:\windows\Installer\1ab9a2.msp
c:\windows\Installer\1ab9a3.msp
c:\windows\Installer\1ab9a4.msp
c:\windows\Installer\1ab9a5.msp
c:\windows\Installer\1b9607.msp
c:\windows\Installer\1b9611.msp
c:\windows\Installer\1b961c.msp
c:\windows\system32\32985ae5-e1a2-444b-a036-f62f31304442.dll
c:\windows\system32\hjgruiqlivcqea.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruitltfhoym
-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 22:19 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Homie\Application Data\mjusbsp\in00000\setup.exe
2009-07-11 22:19 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Homie\Application Data\mjusbsp\ar00000\install.exe
2009-07-07 19:06 . 2009-07-07 19:08 -------- d-----w- c:\documents and settings\Homie\Application Data\ManyCam
2009-07-07 19:06 . 2009-07-07 19:08 -------- d-----w- c:\program files\ManyCam 2.4
2009-07-06 03:03 . 2009-07-06 03:03 -------- d-----w- c:\documents and settings\Homie\Application Data\MPEG Streamclip
2009-07-04 15:43 . 2009-07-04 16:00 -------- d-----w- c:\program files\PartyGaming
2009-07-03 16:42 . 2009-07-03 16:42 -------- d-----w- c:\program files\VSTplugins
2009-07-01 05:17 . 2009-07-02 04:17 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\Temp
2009-06-30 23:35 . 2009-07-01 02:36 -------- d-----w- C:\mbam&sas
2009-06-30 19:44 . 2009-06-30 23:41 117760 ----a-w- c:\documents and settings\Administrator.DANSLAPTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-30 19:43 . 2009-06-30 19:43 -------- d-----w- c:\documents and settings\Administrator.DANSLAPTOP\Application Data\SUPERAntiSpyware.com
2009-06-30 19:02 . 2009-06-30 19:02 -------- d-----w- c:\documents and settings\Administrator.DANSLAPTOP\Application Data\Malwarebytes
2009-06-30 18:33 . 2009-06-30 18:33 117760 ----a-w- c:\documents and settings\Homie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-30 18:21 . 2009-06-30 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-30 18:21 . 2009-06-30 18:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-30 18:21 . 2009-06-30 18:21 -------- d-----w- c:\documents and settings\Homie\Application Data\SUPERAntiSpyware.com
2009-06-29 20:11 . 2009-06-29 20:11 -------- d-----w- c:\program files\Eyeball Networks
2009-06-29 19:11 . 2009-06-29 19:11 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-29 19:11 . 2009-06-29 19:11 189640 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-29 19:11 . 2009-06-29 19:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-29 19:09 . 2009-06-25 20:36 1291640 ----a-w- c:\documents and settings\Homie\Application Data\Mozilla\Firefox\Profiles\l83aqo37.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-06-29 19:09 . 2009-06-25 20:36 729088 ----a-w- c:\documents and settings\Homie\Application Data\Mozilla\Firefox\Profiles\l83aqo37.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-06-29 18:00 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 18:00 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 18:00 . 2009-06-29 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 16:21 . 2009-06-28 16:21 -------- d-----w- c:\documents and settings\Homie\Application Data\Malwarebytes
2009-06-28 16:21 . 2009-06-28 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 16:25 . 2009-04-01 04:47 2929528 ----a-w- c:\documents and settings\Homie\Application Data\Simply Super Software\Trojan Remover\elw1.exe
2009-06-26 20:31 . 2009-06-26 20:31 15884 ----a-w- c:\documents and settings\Homie\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-06-26 20:31 . 2009-06-26 20:31 102400 ----a-w- c:\documents and settings\Homie\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-06-26 20:31 . 2009-06-26 20:31 4141117 ----a-w- c:\documents and settings\Homie\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-06-26 20:31 . 2009-06-26 20:31 6516755 ----a-w- c:\documents and settings\Homie\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-06-26 20:12 . 2009-06-26 20:14 -------- d-----w- c:\program files\Trojan Remover
2009-06-26 20:10 . 2009-06-26 20:13 -------- d-----w- c:\documents and settings\Homie\Application Data\Simply Super Software
2009-06-26 19:27 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-06-26 19:27 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-06-26 19:27 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-06-26 19:26 . 2009-06-26 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-26 19:09 . 2009-07-03 17:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-26 19:05 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-06-26 19:05 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-06-23 23:51 . 2009-06-23 23:51 -------- d-----w- c:\documents and settings\Homie\Application Data\Publish Providers
2009-06-23 23:48 . 2009-06-27 04:07 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\Sony
2009-06-23 23:48 . 2009-06-23 23:51 -------- d-----w- c:\documents and settings\Homie\Application Data\Sony
2009-06-23 23:23 . 2009-06-23 23:25 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-06-23 19:54 . 2009-06-23 19:54 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\PunkBuster
2009-06-23 19:13 . 2009-06-23 19:13 139152 ----a-w- c:\documents and settings\Homie\Application Data\PnkBstrK.sys
2009-06-23 19:13 . 2009-06-23 23:23 -------- d-----w- c:\windows\system32\LogFiles
2009-06-23 17:07 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Homie\Application Data\Mozilla\Firefox\Profiles\l83aqo37.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-23 16:50 . 2009-06-23 16:50 -------- d-----w- c:\program files\EA Games
2009-06-22 19:23 . 2009-06-22 19:23 239088 ----a-w- c:\documents and settings\Homie\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-22 01:19 . 2009-06-22 01:19 -------- d-----w- c:\program files\DVD Shrink
2009-06-22 01:15 . 2009-06-22 03:24 -------- d-----w- c:\documents and settings\Homie\Application Data\dvdcss
2009-06-21 17:24 . 2009-06-21 17:27 -------- d-----w- c:\documents and settings\Homie\Application Data\VTExtra
2009-06-21 17:22 . 2009-06-21 17:24 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\VTShared
2009-06-21 17:22 . 2009-06-24 02:22 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\SilverDollarCasino
2009-06-21 05:58 . 2009-06-21 05:58 -------- d-----w- c:\program files\ImgBurn
2009-06-20 02:02 . 2009-06-20 02:02 -------- d-----w- c:\documents and settings\Homie\Local Settings\Application Data\TechSmith
2009-06-19 01:08 . 2009-06-19 01:08 -------- d-----w- c:\documents and settings\Administrator.DANSLAPTOP\Application Data\Subversion
2009-06-19 01:07 . 2009-06-30 23:39 -------- d-----w- c:\documents and settings\Administrator.DANSLAPTOP\Local Settings\Application Data\TSVNCache
2009-06-13 20:59 . 2009-06-13 20:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-12 03:19 . 2009-06-12 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\StormPredator
2009-06-12 03:19 . 2009-06-12 03:20 -------- d-----w- c:\program files\StormPredator
2009-06-12 03:19 . 2009-06-12 03:19 -------- d-----w- c:\windows\StormPredator
2009-06-12 03:17 . 2009-06-29 18:18 -------- d-----w- c:\program files\Common Files\MF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 22:20 . 2009-05-15 13:28 -------- d-----w- c:\documents and settings\Homie\Application Data\mjusbsp
2009-07-04 13:06 . 2009-05-22 22:52 34 ----a-w- c:\documents and settings\Homie\jagex_runescape_preferences.dat
2009-07-04 12:42 . 2009-05-15 19:10 -------- d-----w- c:\documents and settings\Homie\Application Data\Skype
2009-07-04 12:27 . 2009-05-15 19:12 -------- d-----w- c:\documents and settings\Homie\Application Data\skypePM
2009-07-04 11:45 . 2009-06-05 17:36 -------- d-----w- c:\documents and settings\Homie\Application Data\tor
2009-07-04 11:45 . 2009-05-16 21:27 -------- d-----w- c:\documents and settings\Homie\Application Data\Vidalia
2009-07-03 16:19 . 2009-05-30 21:42 -------- d-----w- c:\documents and settings\Homie\Application Data\Azureus
2009-07-03 03:23 . 2009-06-10 03:35 337197168 ----a-w- c:\documents and settings\Homie\Application Data\ijjigame\U_SFInstaller.exe
2009-06-30 18:20 . 2009-05-21 01:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-28 16:16 . 2009-06-09 04:05 -------- d-----w- c:\documents and settings\Homie\Application Data\EyeballChatUserData
2009-06-24 16:06 . 2009-06-09 04:08 -------- d-----w- c:\documents and settings\Homie\Application Data\EyeballChatAvatars
2009-06-22 02:02 . 2009-05-15 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-20 02:10 . 2009-05-21 01:12 -------- d-----w- c:\program files\TechSmith
2009-06-20 02:03 . 2009-05-16 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-06-20 01:15 . 2009-06-09 05:07 -------- d-----w- c:\program files\ClubWPT
2009-06-16 19:33 . 2009-06-10 16:05 -------- d-----w- c:\documents and settings\Homie\Application Data\TeamViewer
2009-06-12 02:54 . 2009-05-15 04:47 12912 ----a-w- c:\documents and settings\Homie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 22:21 . 2009-06-10 22:21 -------- d-----w- c:\program files\Drug Lord 2
2009-06-10 16:09 . 2009-06-10 16:09 -------- d-----w- c:\program files\TeamViewer
2009-06-10 05:10 . 2009-06-10 05:10 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-06-10 04:00 . 2009-06-10 03:35 -------- d--h--w- c:\documents and settings\Homie\Application Data\ijjigame
2009-06-10 03:52 . 2009-06-10 03:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-10 03:35 . 2009-06-10 03:34 558552 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PLauncher.exe
2009-06-10 03:34 . 2009-06-10 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-06-10 03:33 . 2009-06-10 03:33 -------- d-----w- c:\program files\NHN USA
2009-06-08 02:47 . 2009-06-07 23:38 -------- d-----w- c:\program files\Pando Networks
2009-06-08 01:55 . 2009-06-08 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-06-08 01:38 . 2009-06-08 01:38 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-06-08 01:38 . 2009-06-08 01:38 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-06-08 01:38 . 2009-06-08 01:38 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-06-08 01:38 . 2009-06-08 01:38 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-06-08 01:38 . 2009-06-08 01:38 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-06-08 01:38 . 2009-06-08 01:38 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-06-05 17:34 . 2009-06-05 17:26 -------- d-----w- c:\program files\Vidalia Bundle
2009-06-03 21:48 . 2009-06-10 03:34 779720 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PurpleBean.exe
2009-06-02 21:20 . 2009-05-15 05:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-30 22:24 . 2009-05-30 22:24 10684866 ----a-w- c:\documents and settings\Homie\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-30 21:42 . 2009-05-30 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-30 21:41 . 2009-05-30 21:41 -------- d-----w- c:\program files\Vuze
2009-05-30 04:53 . 2009-05-30 04:53 -------- d-----w- c:\program files\Sun
2009-05-30 04:53 . 2009-05-20 21:10 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-30 04:50 . 2009-05-20 21:10 -------- d-----w- c:\program files\Java
2009-05-30 04:26 . 2009-05-15 08:09 90112 ----a-w- c:\windows\DUMP4853.tmp
2009-05-30 04:22 . 2009-05-30 04:22 -------- d-----w- c:\documents and settings\Homie\Application Data\TortoiseSVN
2009-05-30 03:36 . 2009-05-30 03:36 -------- d-----w- c:\documents and settings\Homie\Application Data\Subversion
2009-05-30 03:33 . 2009-05-30 03:33 -------- d-----w- c:\program files\TortoiseSVN
2009-05-30 03:33 . 2009-05-30 03:33 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-05-30 02:35 . 2009-05-30 02:34 -------- d-----w- c:\program files\QuickTime
2009-05-30 02:34 . 2009-05-30 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-30 02:34 . 2009-05-30 02:34 -------- d-----w- c:\program files\Apple Software Update
2009-05-30 02:34 . 2009-05-30 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-05-26 21:31 . 2009-06-10 03:33 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-25 15:24 . 2009-05-25 15:24 -------- d-----w- c:\documents and settings\Homie\Application Data\CamfrogWEB
2009-05-25 15:24 . 2009-05-25 15:24 -------- d-----w- c:\program files\CFWebAdvancedU
2009-05-22 18:42 . 2009-05-15 08:09 90112 ----a-w- c:\windows\DUMP513c.tmp
2009-05-20 21:09 . 2009-05-20 21:09 152576 ----a-w- c:\documents and settings\Homie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-19 17:25 . 2009-05-15 08:09 90112 ----a-w- c:\windows\DUMP60cd.tmp
2009-05-18 16:24 . 2009-05-18 16:22 -------- d-----w- c:\program files\One Club Casino
2009-05-17 19:00 . 2009-05-16 07:09 -------- d-----w- c:\program files\Camfrog
2009-05-17 18:58 . 2009-05-17 18:58 -------- d-----w- c:\program files\Common Files\Skype
2009-05-17 18:58 . 2009-05-17 18:58 -------- d-----r- c:\program files\Skype
2009-05-17 18:58 . 2009-05-15 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-17 18:43 . 2009-05-17 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-17 18:42 . 2009-05-17 18:42 -------- d-----w- c:\program files\Yahoo!
2009-05-17 17:51 . 2009-05-15 18:35 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-05-17 17:34 . 2009-05-17 17:34 10134 ----a-r- c:\documents and settings\Homie\Application Data\Microsoft\Installer\{5FE1E412-D114-46E8-A891-5BE087B256A5}\ARPPRODUCTICON.exe
2009-05-17 17:22 . 2009-05-17 17:22 -------- d-----w- c:\program files\Microsoft
2009-05-17 17:22 . 2009-05-17 17:21 -------- d-----w- c:\program files\Windows Live
2009-05-17 17:09 . 2009-05-17 17:09 -------- d-----w- c:\program files\Readon Technology
2009-05-17 17:00 . 2009-05-17 17:00 -------- d-----w- c:\program files\microsoft frontpage
2009-05-17 16:56 . 2009-05-17 16:56 -------- d-----w- c:\program files\nintendo
2009-05-17 16:48 . 2009-05-15 05:32 -------- d-----w- c:\program files\Unlocker
2009-05-17 16:47 . 2009-05-17 16:47 -------- d-----w- c:\program files\EasyCleaner
2009-05-17 16:43 . 2009-05-17 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-05-17 16:35 . 2009-05-17 16:35 -------- d-----w- c:\documents and settings\Homie\Application Data\ESET
2009-05-17 09:30 . 2009-05-15 04:32 -------- d-----w- c:\program files\DirectX9.0c
2009-05-17 09:30 . 2009-05-15 05:11 -------- d-----w- c:\program files\Adobe Media Player
2009-05-17 09:28 . 2009-05-15 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-05-17 09:27 . 2009-05-16 07:04 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-17 08:54 . 2009-05-15 04:21 -------- d-----w- c:\program files\MultiRes
2009-05-16 15:17 . 2009-05-16 07:10 -------- d-----w- c:\documents and settings\Homie\Application Data\Camfrog
2009-05-16 07:36 . 2009-05-16 07:36 -------- d-----w- c:\program files\MSBuild
2009-05-16 07:36 . 2009-05-16 07:36 -------- d-----w- c:\program files\Reference Assemblies
2009-05-15 19:12 . 2009-05-15 19:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-15 18:52 . 2009-05-15 18:52 -------- d-----w- c:\documents and settings\Homie\Application Data\Leadertech
2009-05-15 18:30 . 2009-05-15 18:30 -------- d-----w- c:\documents and settings\Homie\Application Data\vlc
2009-05-15 18:19 . 2009-05-15 18:19 -------- d-----w- c:\documents and settings\Homie\Application Data\ImgBurn
2009-05-15 17:30 . 2009-05-15 17:30 -------- d-----w- c:\program files\VideoLAN
2009-05-15 13:32 . 2009-05-15 13:32 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-15 08:23 . 2009-05-15 01:48 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-15 05:09 . 2009-05-15 05:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-15 05:05 . 2009-05-15 05:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-15 04:55 . 2009-05-15 04:55 0 ----a-w- c:\windows\nsreg.dat
2009-05-15 04:39 . 2009-05-15 04:39 -------- d-----w- c:\program files\ESET
2009-05-15 04:39 . 2009-05-15 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-05-15 04:20 . 2009-05-15 04:20 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-05-15 04:20 . 2009-05-15 04:20 -------- d-----w- c:\program files\Radeon Omega Drivers
2009-05-15 02:59 . 2009-05-15 02:59 -------- d-----w- c:\program files\Innovative Solutions
2009-05-15 01:44 . 2009-05-15 01:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-13 19:32 . 2009-05-17 18:42 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Homie\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]
"Google Update"="c:\documents and settings\Homie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-13 2046120]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-30 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-06-01 1059720]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2006-02-22 344064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-11-10 15473664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Eyeball Chat"="c:\program files\Eyeball Networks\Eyeball Chat\EyeballChat.exe" [2009-06-29 2666496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Homie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Homie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Homie\\Application Data\\mjusbsp\\magicJack.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/13/2009 1:07 PM 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/13/2009 1:07 PM 727720]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-115176313-1644491937-1003Core.job
- c:\documents and settings\Homie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 23:20]

2009-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-115176313-1644491937-1003UA.job
- c:\documents and settings\Homie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-05 23:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverMax - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.17.0.cab
FF - ProfilePath - c:\documents and settings\Homie\Application Data\Mozilla\Firefox\Profiles\l83aqo37.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=13&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Homie\Application Data\Mozilla\Firefox\Profiles\l83aqo37.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Homie\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Homie\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 18:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3548)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\documents and settings\Homie\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\Homie\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2009-07-11 18:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-11 22:24

Pre-Run: 62,210,297,856 bytes free
Post-Run: 62,136,934,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

376 --- E O F --- 2009-06-11 03:13

Hi again snouk,

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Back to the log

Combofix has done a nice job there. Just a bit to clean up.

Use Windows Explorer to find and delete these files:

c:\windows\DUMP4853.tmp
c:\windows\DUMP513c.tmp
c:\windows\DUMP60cd.tmp

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

Next we need to check this file

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\ezsidmv.dat

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal

Thanks

http://virusscan.jotti.org/en/scanresult/8...12c2d532abf7454

What is this file?

That's a good question.

It doesn't seem to be a system file and it doesn't seem to be malware either.

Please click here

Copy/paste the topic URL and then this file:

c:\windows\system32\ezsidmv.dat

I will take a look at what it actually is.

It seems to be safe.

After you have submitted the file please run this scanner.

Please run a BitDefender Online Scan

• Click I Agree to agree to the EULA.
  
• Allow the ActiveX control to install when prompted.
  
• Click Click here to scan to begin the scan.
  
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  
• When the scan is finished, click on Click here to export the scan results.
  
• Save the report to your desktop so you can post it in your next reply.

Thanks

BitDefender Online Scanner







Scan report generated at: Sun, Jul 12, 2009 - 16:29:23









Scan path: C:\;D:\;F:\;G:\;















Statistics

Time


03:02:38

Files


427241

Folders


7853

Boot Sectors


0

Archives


3796

Packed Files


20007







Results

Identified Viruses


8

Infected Files


18

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


18







Engines Info

Virus Definitions


3682988

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Homie\Desktop\Dans Installers\AutoClickers\AutoClickers\Adbux_Auto_Clicker.exe


Infected with: Trojan.Generic.1041161

C:\Documents and Settings\Homie\Desktop\Dans Installers\AutoClickers\AutoClickers\Adbux_Auto_Clicker.exe


Disinfection failed

C:\Documents and Settings\Homie\Desktop\Dans Installers\AutoClickers\AutoClickers\Adbux_Auto_Clicker.exe


Deleted

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5\snd-wintaskspro5.04.patch.rar=>snd-wintaskspro5.04.patch\patch.exe


Infected with: Backdoor.Agent.XN

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5\snd-wintaskspro5.04.patch.rar=>snd-wintaskspro5.04.patch\patch.exe


Deleted

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5\snd-wintaskspro5.04.patch.rar


Update failed

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\snd-wintaskspro5.04.patch.rar=>snd-wintaskspro5.04.patch\patch.exe


Infected with: Backdoor.Agent.XN

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\snd-wintaskspro5.04.patch.rar=>snd-wintaskspro5.04.patch\patch.exe


Deleted

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\snd-wintaskspro5.04.patch.rar


Update failed

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\WinTasks.zip=>WinTasks/patch.exe


Infected with: Backdoor.Agent.XN

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\WinTasks.zip=>WinTasks/patch.exe


Deleted

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar=>wintasks5\WinTasks.zip


Updated

C:\Documents and Settings\Homie\Desktop\Dans Installers\LIUtilities\wintasks5.rar


Update failed

C:\Documents and Settings\Homie\Desktop\Dans Installers\pc security tools\pc security tools\mbamsetup+keygen\mbamsetup+keygen\mbam-setup.exe


Infected with: Trojan.Generic.1451511

C:\Documents and Settings\Homie\Desktop\Dans Installers\pc security tools\pc security tools\mbamsetup+keygen\mbamsetup+keygen\mbam-setup.exe


Disinfection failed

C:\Documents and Settings\Homie\Desktop\Dans Installers\pc security tools\pc security tools\mbamsetup+keygen\mbamsetup+keygen\mbam-setup.exe


Deleted

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\OnOneSoftware\OnOne.PhotoFrame.Pro.v3.1.For.Photoshop.READ.NFO-BLADE\Crack\photoframe31-patch.exe


Infected with: Gen:Trojan.Heur.B2827D8282

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\OnOneSoftware\OnOne.PhotoFrame.Pro.v3.1.For.Photoshop.READ.NFO-BLADE\Crack\photoframe31-patch.exe


Disinfection failed

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\OnOneSoftware\OnOne.PhotoFrame.Pro.v3.1.For.Photoshop.READ.NFO-BLADE\Crack\photoframe31-patch.exe


Deleted

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Patch\patch.exe


Infected with: Trojan.Generic.1697383

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Patch\patch.exe


Deleted

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Plugins\NewBlue FX\Art effects.exe


Detected with: Adware.Generic.64429

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Plugins\NewBlue FX\Art effects.exe


Deleted

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Detected with: Application.Generic.32141

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Disinfection failed

C:\Documents and Settings\Homie\My Documents\Azureus Downloads\Sony-VEGAS Platinum\Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Deleted

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Patch\patch.exe


Infected with: Trojan.Generic.1697383

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Patch\patch.exe


Deleted

C:\Program Installers\Sony-VEGAS Platinum.rar


Update failed

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Plugins\NewBlue FX\Art effects.exe


Detected with: Adware.Generic.64429

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Plugins\NewBlue FX\Art effects.exe


Deleted

C:\Program Installers\Sony-VEGAS Platinum.rar


Update failed

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Detected with: Application.Generic.32141

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Disinfection failed

C:\Program Installers\Sony-VEGAS Platinum.rar=>Sony-VEGAS Platinum\Plugins\NewBlue FX\Motion blends.exe


Deleted

C:\Program Installers\Sony-VEGAS Platinum.rar


Update failed

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP20\A0026658.exe


Infected with: Backdoor.Agent.XN

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP20\A0026658.exe


Deleted

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP20\A0026660.exe


Infected with: Backdoor.Agent.XN

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP20\A0026660.exe


Deleted

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP68\A0104788.exe=>(RAR Sfx o)=>a1a1a-server.exe


Infected with: Backdoor.Generic.196044

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP68\A0104788.exe=>(RAR Sfx o)=>a1a1a-server.exe


Deleted

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP68\A0104788.exe=>(RAR Sfx o)


Update failed

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP93\A0114064.exe


Infected with: Trojan.Generic.1697383

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP93\A0114064.exe


Deleted

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132655.exe


Infected with: Trojan.Generic.1041161

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132655.exe


Disinfection failed

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132655.exe


Deleted

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132656.exe


Infected with: Trojan.Generic.1451511

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132656.exe


Disinfection failed

C:\System Volume Information\_restore{4EE70F04-CF17-4183-ACA4-85EDD6961B1D}\RP97\A0132656.exe


Deleted

uploaded scan

Hi snouk,

Thanks for uploading the dat file. It is a very small file and is not malware. I will need to upload it myself to look at it in more detail to see what it actually is.

Next, the BitDefender log shows some signs of malware that had been hidden up until now.

Let's run a more agressive scanner.

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks

Malwarebytes' Anti-Malware 1.39
Database version: 2424
Windows 5.1.2600 Service Pack 3

7/13/2009 9:58:09 PM
mbam-log-2009-07-13 (21-58-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174818
Time elapsed: 51 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{4ee70f04-cf17-4183-aca4-85edd6961b1d}\RP85\A0112076.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{4ee70f04-cf17-4183-aca4-85edd6961b1d}\RP85\A0112077.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{4ee70f04-cf17-4183-aca4-85edd6961b1d}\RP85\A0112078.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{4ee70f04-cf17-4183-aca4-85edd6961b1d}\RP85\A0112079.exe (Dont.Steal.Our.Software.A) -> Quarantined and deleted successfully.

Hi snouk,

The log was clean - only infections in the restore folder were found.

This means...

Good stuff! Your PC is clean

Let's firstly do some housekeeping

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
  
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.


Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then go to Start > Run and type: Cleanmgr
  
• Click "OK".
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it snouk, happy surfing!

Cheers,

m0le

Hmm thats it? Ok thanks a lot!

You're welcome snouk