Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tigefeki.dll Virus Infection Help


  • This topic is locked This topic is locked
18 replies to this topic

#1 Gummi De Milo

Gummi De Milo

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 25 December 2008 - 09:31 AM

Hi, I recently had trouble with my computer not booting, pop-ups, and redirects in Firefox. Apparently I had a few viruses. I thought I had removed them all but I've noticed that this tigefeki.dll still seems to be there and I'm still getting some pop-ups and Avira alerts. I would much appreciate it if someone looked at my HiJackthis log. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:42 AM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5bb7ee6b-8d2a-4580-af92-0a0eff91f6ea} - C:\WINDOWS\system32\kafawagi.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [9810266e] rundll32.exe "C:\WINDOWS\system32\fihiyota.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [pozoyalotu] Rundll32.exe "C:\WINDOWS\system32\tigefeki.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\bohupota.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

Edited by Gummi De Milo, 25 December 2008 - 09:46 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 03 January 2009 - 02:34 PM

Hi Gummi De Milo,

Sorry for the long delay, this forum is always a busy place and we do our best to
keep up. Give me some time to look over your log and i will get back to you as
soon as possible, if you no longer require my help please let me no.

Thanks
Syler

unite.jpg


#3 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 03 January 2009 - 08:44 PM

Thanks for the reply. Since the log, I've ran Malwarebytes' Anti Malware and thought i had removed it all but recently my anti virus has been alerting me of the Vundo trojan and it still seems to keep coming back no matter what i do. Here's is a more recent HJT log.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\xpre.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bohupota.dll c:\windows\system32\yanulepi.dll ftpgxh.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 05 January 2009 - 05:26 AM

Hi Gummi De Milo,

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avira.

NEXT

Please update and run MalwareBytes Anti-Malware again.
  • Open MBAM and click the Update tab then click Check for updates.
  • Once the program has updated click the Scanner tab, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

NEXT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
Please post back with the MBAM log and the two RSIT logs.

Thanks
Syler

unite.jpg


#5 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 06 January 2009 - 01:56 PM

I had removed avg when I installed Avira and it doesn't seem to be on there anymore. Anyways here are the logs you asked for

Malwarebytes' Anti-Malware 1.32
Database version: 1618
Windows 5.1.2600 Service Pack 3

1/5/2009 8:37:36 PM
mbam-log-2009-01-05 (20-37-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 179451
Time elapsed: 3 hour(s), 54 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0A8DAD28-BAF6-4055-8AFC-EDFA85A865F8}\RP17\A0008934.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A8DAD28-BAF6-4055-8AFC-EDFA85A865F8}\RP3\A0000223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0A8DAD28-BAF6-4055-8AFC-EDFA85A865F8}\RP3\A0001225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


info.txt logfile of random's system information tool 1.05 2009-01-06 12:52:30

======Uninstall list======

-->"C:\Program Files\Creative Professional\E-MU USB Audio\Program\SETUP.EXE" /S /U /W
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CE8719B-0EA4-4911-A1EF-D9AAC800C53A}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CE8719B-0EA4-4911-A1EF-D9AAC800C53A}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Call of Duty-->C:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u C:\PROGRA~1\CALLOF~1\Uninstall\Install.log
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Cisco Clean Access Agent-->MsiExec.exe /X{04010300-6D72-4D54-8686-91D884A27B5C}
Commandos 3 - Destination Berlin-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C270BC04-1540-4673-960F-A546B2C860CD}\SETUP.EXE"
COMODO Internet Security-->C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe -u
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Driver Sweeper 1.5.5-->"C:\Program Files\Driver Sweeper\unins000.exe"
E-MU USB Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1C99893D-BC98-4456-AA3E-B67AB42301A6}\SETUP.EXE" -l0x9 /remove
Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers-->Prounstl.exe
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 4.2.5 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech MouseWare 9.79.1 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Magic ISO Maker v5.5 (build 0272)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaMonkey 3.0-->"C:\Program Files\MediaMonkey\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
PartyPoker-->"C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
Power Tab Editor 1.7-->MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Rainlendar2 (remove only)-->"C:\Program Files\Rainlendar2\uninst.exe"
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Return to Castle Wolfenstein-->C:\PROGRA~1\RETURN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\RETURN~1\Uninstall\Install.log
Rocket Jockey v1.1-->C:\Program Files\Games\RocketJockey\unins000.exe
Savage 2 - A Tortured Soul-->C:\Program Files\Games\Savage 2 - A Tortured Soul\uninstall.exe
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Songbird 1.0.0 (20081124)-->"C:\Program Files\Songbird\Songbird-Uninstall.exe"
Steinberg Cubase LE-->"C:\Program Files\Steinberg\Cubase LE\Uninstall.exe" "C:\Program Files\Steinberg\Cubase LE\Install.log"
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
Thief - Deadly Shadows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC123EEA-330A-4685-911C-95B8F5E9DE68}\Setup.exe" -l0x9
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
WaveLab Lite-->"C:\Program Files\Steinberg\WaveLab Lite\Uninstall.exe" "C:\Program Files\Steinberg\WaveLab Lite\install.log"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wolfenstein - Enemy Territory-->C:\PROGRA~1\WOLFEN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\WOLFEN~1\Uninstall\Install.log
Wolfram Mathematica 6-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B1494C3E-687F-4E4D-8038-D57154338D9D}
Wolfram Notebook Indexer 2.0-->MsiExec.exe /I{F9B2E82F-B10A-454E-B19B-735CFF6A5DD2}

======Security center information======

AV: Avira AntiVir PersonalEdition
FW: COMODO Firewall

System event log

Computer Name: FEINERRECLINER
Event Code: 9
Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Record Number: 1766
Source Name: atapi
Time Written: 20081221232719.000000-360
Event Type: error
User:

Computer Name: FEINERRECLINER
Event Code: 9
Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Record Number: 1765
Source Name: atapi
Time Written: 20081221232718.000000-360
Event Type: error
User:

Computer Name: FEINERRECLINER
Event Code: 9
Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Record Number: 1764
Source Name: atapi
Time Written: 20081221232717.000000-360
Event Type: error
User:

Computer Name: FEINERRECLINER
Event Code: 9
Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Record Number: 1763
Source Name: atapi
Time Written: 20081221232714.000000-360
Event Type: error
User:

Computer Name: FEINERRECLINER
Event Code: 9
Message: The device, \Device\Ide\IdePort0, did not respond within the timeout period.

Record Number: 1762
Source Name: atapi
Time Written: 20081221232713.000000-360
Event Type: error
User:

Application event log

Computer Name: FEINERRECLINER
Event Code: 700
Message: MsnMsgr (768) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Messenger\markfeiner@gmail.com\SharingMetadata\Working\database_3698_1066_9810_26C1\dfsr.db'.

Record Number: 3984
Source Name: ESENT
Time Written: 20081211200005.000000-360
Event Type: information
User:

Computer Name: FEINERRECLINER
Event Code: 701
Message: MsnMsgr (768) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Messenger\markfeiner@gmail.com\SharingMetadata\Working\database_3698_1066_9810_26C1\dfsr.db'.

Record Number: 3983
Source Name: ESENT
Time Written: 20081211190005.000000-360
Event Type: information
User:

Computer Name: FEINERRECLINER
Event Code: 700
Message: MsnMsgr (768) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Messenger\markfeiner@gmail.com\SharingMetadata\Working\database_3698_1066_9810_26C1\dfsr.db'.

Record Number: 3982
Source Name: ESENT
Time Written: 20081211190005.000000-360
Event Type: information
User:

Computer Name: FEINERRECLINER
Event Code: 701
Message: MsnMsgr (768) Online defragmentation has completed a full pass on database '\\.\C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Messenger\markfeiner@gmail.com\SharingMetadata\Working\database_3698_1066_9810_26C1\dfsr.db'.

Record Number: 3981
Source Name: ESENT
Time Written: 20081211180005.000000-360
Event Type: information
User:

Computer Name: FEINERRECLINER
Event Code: 700
Message: MsnMsgr (768) Online defragmentation is beginning a full pass on database '\\.\C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Messenger\markfeiner@gmail.com\SharingMetadata\Working\database_3698_1066_9810_26C1\dfsr.db'.

Record Number: 3980
Source Name: ESENT
Time Written: 20081211180005.000000-360
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.05 (written by random/random)
Run by Mark at 2009-01-06 12:52:24
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 17 GB (7%) free of 234 GB
Total RAM: 2046 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:27 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\bohupota.dll c:\windows\system32\yanulepi.dll ftpgxh.dll C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6608 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\czzaicca.job
C:\WINDOWS\tasks\vxgbcjvz.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-12-15 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-12-15 86016]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-01-03 1797880]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"Rainlendar2"=C:\Program Files\Rainlendar2\Rainlendar2.exe [2008-08-24 4067328]
"E-MU USB Audio Control Panel"=C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe [2006-11-17 274432]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9810266e]
C:\WINDOWS\system32\dadirova.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pozoyalotu]
C:\WINDOWS\system32\tigefeki.dll []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
map_printer.bat
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Mark\Start Menu\Programs\Startup
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\bohupota.dll c:\windows\system32\yanulepi.dll ftpgxh.dll C:\WINDOWS\system32\guard32.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\bohupota.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Wolfenstein - Enemy Territory\ET.exe"="C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe:*:Enabled:AC Launcher"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe:*:Enabled:acclient"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe:*:Enabled:Mathematica 6 for Students"
"C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe:*:Enabled:Mathematica 6 for Students Kernel"
"C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe:*:Enabled:math.exe"
"C:\Program Files\Games\RocketJockey\Jockey.exe"="C:\Program Files\Games\RocketJockey\Jockey.exe:*:Enabled:Multiplayer Rocket Jockey"
"C:\Program Files\Call of Duty\CoDMP.exe"="C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
"C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe"="C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe:*:Enabled:CCAAgent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:explorer"
"C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe"="C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe:*:Enabled:savage2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f23baed6-d445-11dd-9036-001372105490}]
shell\AutoRun\command - H:\OblivionLauncher.exe


======List of files/folders created in the last 1 months======

2009-01-06 12:52:24 ----D---- C:\rsit
2009-01-03 22:45:39 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2009-01-03 22:45:38 ----A---- C:\WINDOWS\system32\guard32.dll
2009-01-03 22:45:37 ----D---- C:\Program Files\COMODO
2008-12-31 14:40:07 ----D---- C:\Documents and Settings\Mark\Application Data\Songbird2
2008-12-31 14:39:58 ----D---- C:\Documents and Settings\All Users\Application Data\SongbirdVLC
2008-12-31 14:39:42 ----D---- C:\Program Files\Songbird
2008-12-28 11:02:42 ----SHD---- C:\Config.Msi
2008-12-27 16:11:25 ----A---- C:\WINDOWS\BlendSettings.ini
2008-12-27 14:46:03 ----D---- C:\Program Files\Intel
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvwrszht.dll
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvrszht.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrstr.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrsth.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrstr.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssl.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrsth.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssl.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrsru.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrsru.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrspt.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrspt.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrsno.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrsno.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsko.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsko.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrshu.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrshu.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsesm.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsesm.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrsel.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrsel.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsda.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsda.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvwrscs.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvrscs.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nwiz.exe
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwimg.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvshell.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcpluir.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcplui.exe
2008-12-27 14:35:43 ----D---- C:\WINDOWS\nview
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nview.dll
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvcolor.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvappbar.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\keystone.exe
2008-12-27 14:35:21 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2008-12-27 14:33:28 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-27 14:31:54 ----D---- C:\Program Files\Driver Sweeper
2008-12-27 13:57:22 ----A---- C:\h.txt
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools
2008-12-27 12:41:22 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-27 12:41:16 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwssr.dll
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwss.dll
2008-12-27 12:24:56 ----A---- C:\WINDOWS\system32\nvwddi.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvsr.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmoblsr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmobls.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmctray.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccssr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccss.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccsrs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccs.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgamesr.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgames.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdispsr.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdisps.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcuda.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcpl.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcodins.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcod.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvapi.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-12-27 11:27:07 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-12-27 11:27:04 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-27 11:26:53 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-27 11:26:52 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-26 19:22:06 ----SHD---- C:\RECYCLER
2008-12-26 17:10:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-26 16:50:32 ----A---- C:\WINDOWS\zvatxvc.txt
2008-12-26 16:12:53 ----D---- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-12-26 16:11:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-25 08:21:18 ----D---- C:\Program Files\Trend Micro
2008-12-25 08:08:41 ----D---- C:\ComboFixx
2008-12-25 08:08:41 ----A---- C:\WINDOWS\system32\CF4889.exe
2008-12-24 21:49:05 ----D---- C:\Program Files\Avira
2008-12-24 21:49:05 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-24 21:46:11 ----A---- C:\ComboFix.txt
2008-12-24 21:40:26 ----SH---- C:\WINDOWS\system32\atoyihif.ini
2008-12-24 21:07:18 ----A---- C:\Boot.bak
2008-12-24 21:07:11 ----RASHD---- C:\cmdcons
2008-12-24 21:05:32 ----D---- C:\WINDOWS\ERDNT
2008-12-24 11:36:51 ----D---- C:\WINDOWS\pss
2008-12-23 23:32:04 ----D---- C:\Program Files\CCleaner
2008-12-23 18:15:43 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Lite
2008-12-23 17:47:43 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2008-12-22 21:27:57 ----D---- C:\Program Files\Lavasoft
2008-12-22 21:27:56 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-22 21:27:36 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-22 20:35:42 ----D---- C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-12-22 00:22:04 ----A---- C:\WINDOWS\system32\9333e210-.txt
2008-12-21 23:38:43 ----D---- C:\Program Files\iTunes
2008-12-21 23:37:56 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-12-21 23:37:00 ----D---- C:\Program Files\Apple Software Update
2008-12-21 23:36:22 ----D---- C:\Program Files\Common Files\Apple
2008-12-21 20:41:29 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-17 15:21:54 ----D---- C:\Program Files\Call of Duty
2008-12-17 15:21:07 ----A---- C:\WINDOWS\CoD.INI
2008-12-16 17:07:10 ----D---- C:\Program Files\Return to Castle Wolfenstein
2008-12-16 17:06:22 ----A---- C:\WINDOWS\Rtcw.INI
2008-12-16 14:08:20 ----D---- C:\Program Files\Eidos
2008-12-16 13:22:51 ----RHD---- C:\Documents and Settings\Mark\Application Data\SecuROM
2008-12-16 13:22:50 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-12-11 15:58:19 ----D---- C:\Program Files\MSECache
2008-12-10 03:04:55 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:01:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2009-01-06 12:52:20 ----D---- C:\WINDOWS\Prefetch
2009-01-06 12:51:38 ----D---- C:\Program Files\Mozilla Firefox
2009-01-06 12:46:38 ----D---- C:\WINDOWS\Temp
2009-01-06 12:46:14 ----D---- C:\Documents and Settings\Mark\Application Data\OpenOffice.org2
2009-01-06 02:03:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-05 12:18:00 ----D---- C:\WINDOWS\system32\drivers
2009-01-05 00:26:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-03 22:45:38 ----D---- C:\WINDOWS\system32
2009-01-03 22:45:37 ----RD---- C:\Program Files
2009-01-03 12:40:27 ----D---- C:\WINDOWS
2009-01-02 21:22:56 ----D---- C:\Downloads
2009-01-01 23:25:13 ----D---- C:\Documents and Settings\Mark\Application Data\uTorrent
2009-01-01 16:27:35 ----D---- C:\WINDOWS\Minidump
2008-12-31 15:08:09 ----SHD---- C:\WINDOWS\Installer
2008-12-31 15:07:50 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-27 17:24:39 ----HD---- C:\WINDOWS\inf
2008-12-27 15:25:16 ----D---- C:\WINDOWS\system32\DirectX
2008-12-27 15:15:09 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-27 15:14:57 ----D---- C:\Program Files\Games
2008-12-27 14:51:13 ----D---- C:\Documents and Settings
2008-12-27 14:46:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-27 14:46:52 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-27 14:35:56 ----D---- C:\WINDOWS\Help
2008-12-27 13:56:45 ----D---- C:\DELL
2008-12-27 13:16:53 ----D---- C:\WINDOWS\Debug
2008-12-27 11:24:46 ----D---- C:\WINDOWS\WinSxS
2008-12-26 23:05:45 ----SD---- C:\Documents and Settings\Mark\Application Data\Microsoft
2008-12-26 23:03:56 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-26 16:06:26 ----HD---- C:\$AVG8.VAULT$
2008-12-25 08:20:05 ----RASH---- C:\boot.ini
2008-12-25 08:20:05 ----A---- C:\WINDOWS\win.ini
2008-12-25 08:20:05 ----A---- C:\WINDOWS\system.ini
2008-12-25 08:08:48 ----SHD---- C:\System Volume Information
2008-12-25 08:08:48 ----D---- C:\WINDOWS\system32\Restore
2008-12-24 21:36:48 ----D---- C:\WINDOWS\system32\config
2008-12-24 21:36:08 ----D---- C:\WINDOWS\AppPatch
2008-12-24 21:36:08 ----D---- C:\Program Files\Common Files
2008-12-23 23:18:07 ----SD---- C:\WINDOWS\Tasks
2008-12-21 23:38:22 ----D---- C:\Program Files\QuickTime
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\java.exe
2008-12-21 20:41:19 ----D---- C:\Program Files\Java
2008-12-18 01:16:26 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 14:30:34 ----D---- C:\Program Files\Wolfenstein - Enemy Territory
2008-12-15 14:27:37 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 15:58:32 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-11 15:58:31 ----RSD---- C:\WINDOWS\Fonts
2008-12-11 15:58:28 ----D---- C:\Program Files\Microsoft Office
2008-12-10 03:04:02 ----D---- C:\Program Files\Internet Explorer
2008-12-09 15:46:23 ----D---- C:\Program Files\PartyGaming

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-01-03 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-01-03 31504]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 emusba10;E-MU USB-Audio 1.0 Driver; C:\WINDOWS\system32\DRIVERS\emusba10.sys [2006-11-20 142208]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-12-17 37887]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-12-15 6209312]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 a5w9jz7n;a5w9jz7n; C:\WINDOWS\system32\drivers\a5w9jz7n.sys []
S3 catchme;catchme; \??\C:\ComboFixx\catchme.sys []
S3 cdrmkaun;cdrmkaun; \??\C:\DOCUME~1\Mark\LOCALS~1\Temp\cdrmkaun.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-01-03 618232]
R2 emaudsv;E-MU Audio Service; C:\WINDOWS\system32\emaudsv.exe [2006-11-20 10240]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-12-15 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-09-06 66872]
R3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 09 January 2009 - 08:01 AM

Hi Gummi De Milo,

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java™ 6 Update 4
Java™ 6 Update 7
PartyPoker


Additional instructions can be found here if needed

THEN

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post back with C:\ComboFix.txt and a fresh RSIT log.

Thanks

unite.jpg


#7 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 09 January 2009 - 03:32 PM

Here are the logs

ComboFix 09-01-08.05 - Mark 2009-01-09 11:06:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1460 [GMT -6:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
c:\windows\system32\~.exe
c:\windows\system32\atoyihif.ini
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 23:02 . 2009-01-08 23:02 <DIR> d-------- c:\program files\VideoLAN
2009-01-08 23:02 . 2009-01-08 23:02 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-08 23:02 . 2009-01-08 23:08 <DIR> d-------- c:\program files\Graboid
2009-01-06 12:52 . 2009-01-06 12:52 <DIR> d-------- C:\rsit
2009-01-03 22:45 . 2009-01-03 22:45 <DIR> d-------- c:\program files\COMODO
2009-01-03 22:45 . 2009-01-03 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-03 22:45 . 2009-01-03 22:45 147,192 --a------ c:\windows\system32\guard32.dll
2009-01-03 22:45 . 2009-01-03 22:45 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-01-03 22:45 . 2009-01-03 22:45 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-31 14:40 . 2008-12-31 14:40 <DIR> d-------- c:\documents and settings\Mark\Application Data\Songbird2
2008-12-31 14:39 . 2008-12-31 14:49 <DIR> d-------- c:\program files\Songbird
2008-12-31 14:39 . 2008-12-31 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SongbirdVLC
2008-12-27 16:11 . 2009-01-08 15:22 23 --a------ c:\windows\BlendSettings.ini
2008-12-27 14:46 . 2008-12-27 14:46 <DIR> d-------- c:\program files\Intel
2008-12-27 14:31 . 2008-12-27 14:34 <DIR> d-------- c:\program files\Driver Sweeper
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools Pro
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools
2008-12-27 12:41 . 2008-12-27 12:41 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-27 12:41 . 2008-12-27 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-27 12:24 . 2008-12-15 14:17 13,680,640 --a------ c:\windows\system32\nvcpl.dll
2008-12-27 11:27 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2008-12-27 11:27 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2008-12-27 11:27 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2008-12-27 11:27 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2008-12-26 23:00 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-12-26 22:59 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys
2008-12-26 22:58 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-12-26 22:58 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll
2008-12-26 22:58 . 2001-08-17 12:48 148,352 --a--c--- c:\windows\system32\dllcache\3dfxvsm.sys
2008-12-26 22:58 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-12-26 22:58 . 2008-04-13 13:46 53,376 --a--c--- c:\windows\system32\dllcache\1394bus.sys
2008-12-26 22:58 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys
2008-12-26 17:10 . 2009-01-05 12:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 17:10 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 17:10 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 16:50 . 2008-12-26 16:50 61,440 --a------ c:\windows\system32\drivers\jnpohwol.sys
2008-12-26 16:12 . 2008-12-26 16:12 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2008-12-26 16:11 . 2008-12-26 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 08:21 . 2008-12-25 08:21 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 08:08 . 2008-12-25 08:08 <DIR> d-------- C:\ComboFixx
2008-12-24 21:49 . 2008-12-24 21:49 <DIR> d-------- c:\program files\Avira
2008-12-24 21:49 . 2008-12-24 21:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-23 23:32 . 2008-12-23 23:32 <DIR> d-------- c:\program files\CCleaner
2008-12-23 18:15 . 2008-12-23 18:15 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools Lite
2008-12-23 17:47 . 2008-12-27 12:43 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-23 16:49 . 2008-12-23 16:49 1 --a------ c:\windows\system32\za.dat
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\program files\Lavasoft
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-22 21:27 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 20:35 . 2008-12-22 20:35 <DIR> d-------- c:\documents and settings\Mark\Application Data\Apple Computer
2008-12-21 23:38 . 2008-12-31 15:08 <DIR> d-------- c:\program files\iTunes
2008-12-21 23:37 . 2008-12-21 23:37 <DIR> d-------- c:\program files\Apple Software Update
2008-12-21 23:37 . 2008-12-21 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-21 23:36 . 2008-12-31 15:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-21 20:41 . 2008-12-21 20:41 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 15:21 . 2009-01-08 17:11 <DIR> d-------- c:\program files\Call of Duty
2008-12-17 15:21 . 2008-12-17 17:32 766 --a------ c:\windows\CoD.INI
2008-12-16 17:07 . 2008-12-16 17:12 <DIR> d-------- c:\program files\Return to Castle Wolfenstein
2008-12-16 17:06 . 2008-12-16 17:11 810 --a------ c:\windows\Rtcw.INI
2008-12-16 14:08 . 2008-12-16 14:08 <DIR> d-------- c:\program files\Eidos
2008-12-16 13:22 . 2008-12-16 13:22 <DIR> dr-h----- c:\documents and settings\Mark\Application Data\SecuROM
2008-12-16 13:22 . 2008-12-16 13:22 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-11 15:58 . 2008-12-11 15:58 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 17:12 --------- d-----w c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-01-09 17:00 --------- d-----w c:\program files\PartyGaming
2009-01-09 16:59 --------- d-----w c:\program files\Java
2009-01-07 17:48 --------- d-----w c:\documents and settings\Mark\Application Data\uTorrent
2008-12-27 21:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 21:14 --------- d-----w c:\program files\Games
2008-12-27 05:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-24 00:15 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-22 05:38 --------- d-----w c:\program files\QuickTime
2008-12-15 20:30 --------- d-----w c:\program files\Wolfenstein - Enemy Territory
2008-12-15 20:27 201,440 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-15 20:27 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-12 12:26 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-24 03:27 --------- d-----w c:\program files\MagicISO
2008-11-24 03:16 --------- d-----w c:\program files\Rosetta Stone
2008-11-23 18:46 --------- d-----w c:\program files\The Weather Channel FW
2008-11-18 01:01 --------- d-----w c:\program files\Guitar Pro 5
2008-11-15 00:03 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-10 04:31 --------- d-----w c:\program files\Common Files\xing shared
2008-11-10 04:31 --------- d-----w c:\program files\Common Files\Real
2008-11-10 04:30 --------- d-----w c:\program files\Real
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
1601-01-01 00:12 71,168 --sha-w c:\windows\system32\fevusota.dll
1601-01-01 00:12 71,168 --sha-w c:\windows\system32\jelulede.dll
1601-01-01 00:12 71,168 --sha-w c:\windows\system32\wumoyuvo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"E-MU USB Audio Control Panel"="c:\program files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe" [2006-11-17 274432]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-03 1797880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-12-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]
map_printer.bat [2008-09-07 144]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
--a------ 2008-06-10 16:18 785520 c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"d:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"c:\\Program Files\\Games\\RocketJockey\\Jockey.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Cisco Systems\\Clean Access Agent\\CCAAgent.exe"=
"c:\\Program Files\\Games\\Savage 2 - A Tortured Soul\\savage2.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-03 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-03 31504]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2006-11-20 142208]
R4 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2006-11-20 10240]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Mark\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Mark\LOCALS~1\Temp\cdrmkaun.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\czzaicca.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-09 c:\windows\Tasks\vxgbcjvz.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-9810266e - c:\windows\system32\dadirova.dll
MSConfigStartUp-pozoyalotu - c:\windows\system32\tigefeki.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\deq7gjtp.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 11:12:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-09 14:27:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 20:27:19
ComboFix2.txt 2008-12-25 03:46:11

Pre-Run: 16,642,686,976 bytes free
Post-Run: 16,667,443,200 bytes free

228 --- E O F --- 2008-12-20 06:24:59

Logfile of random's system information tool 1.05 (written by random/random)
Run by Mark at 2009-01-09 14:28:20
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 16 GB (7%) free of 234 GB
Total RAM: 2046 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:23 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6769 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\czzaicca.job
C:\WINDOWS\tasks\vxgbcjvz.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-12-15 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-12-15 86016]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-01-03 1797880]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"Rainlendar2"=C:\Program Files\Rainlendar2\Rainlendar2.exe [2008-08-24 4067328]
"E-MU USB Audio Control Panel"=C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe [2006-11-17 274432]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2008-06-10 785520]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
map_printer.bat
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Mark\Start Menu\Programs\Startup
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Wolfenstein - Enemy Territory\ET.exe"="C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe:*:Enabled:AC Launcher"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe:*:Enabled:acclient"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe:*:Enabled:Mathematica 6 for Students"
"C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe:*:Enabled:Mathematica 6 for Students Kernel"
"C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe:*:Enabled:math.exe"
"C:\Program Files\Games\RocketJockey\Jockey.exe"="C:\Program Files\Games\RocketJockey\Jockey.exe:*:Enabled:Multiplayer Rocket Jockey"
"C:\Program Files\Call of Duty\CoDMP.exe"="C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
"C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe"="C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe:*:Enabled:CCAAgent"
"C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe"="C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe:*:Enabled:savage2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wumoyuvo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\jelulede.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\fevusota.dll
2009-01-09 14:27:23 ----A---- C:\ComboFix.txt
2009-01-09 11:02:47 ----A---- C:\WINDOWS\zip.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\VFIND.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWSC.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWREG.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\sed.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\grep.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\fdsv.exe
2009-01-09 11:01:36 ----D---- C:\Qoobox
2009-01-08 23:02:54 ----D---- C:\Program Files\Mozilla ActiveX Control v1.7.12
2009-01-08 23:02:39 ----D---- C:\Program Files\VideoLAN
2009-01-08 23:02:38 ----D---- C:\Program Files\Graboid
2009-01-06 12:52:24 ----D---- C:\rsit
2009-01-03 22:45:39 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2009-01-03 22:45:38 ----A---- C:\WINDOWS\system32\guard32.dll
2009-01-03 22:45:37 ----D---- C:\Program Files\COMODO
2008-12-31 14:40:07 ----D---- C:\Documents and Settings\Mark\Application Data\Songbird2
2008-12-31 14:39:58 ----D---- C:\Documents and Settings\All Users\Application Data\SongbirdVLC
2008-12-31 14:39:42 ----D---- C:\Program Files\Songbird
2008-12-27 16:11:25 ----A---- C:\WINDOWS\BlendSettings.ini
2008-12-27 14:46:03 ----D---- C:\Program Files\Intel
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvwrszht.dll
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvrszht.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrstr.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrsth.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrstr.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssl.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrsth.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssl.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrsru.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrsru.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrspt.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrspt.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrsno.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrsno.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsko.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsko.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrshu.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrshu.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsesm.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsesm.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrsel.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrsel.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsda.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsda.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvwrscs.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvrscs.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nwiz.exe
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwimg.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvshell.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcpluir.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcplui.exe
2008-12-27 14:35:43 ----D---- C:\WINDOWS\nview
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nview.dll
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvcolor.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvappbar.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\keystone.exe
2008-12-27 14:35:21 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2008-12-27 14:33:28 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-27 14:31:54 ----D---- C:\Program Files\Driver Sweeper
2008-12-27 13:57:22 ----A---- C:\h.txt
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools
2008-12-27 12:41:22 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-27 12:41:16 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwssr.dll
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwss.dll
2008-12-27 12:24:56 ----A---- C:\WINDOWS\system32\nvwddi.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvsr.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmoblsr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmobls.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmctray.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccssr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccss.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccsrs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccs.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgamesr.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgames.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdispsr.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdisps.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcuda.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcpl.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcodins.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcod.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvapi.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-12-27 11:27:07 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-12-27 11:27:04 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-27 11:26:53 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-27 11:26:52 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-26 17:10:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-26 16:50:32 ----A---- C:\WINDOWS\zvatxvc.txt
2008-12-26 16:12:53 ----D---- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-12-26 16:11:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-25 08:21:18 ----D---- C:\Program Files\Trend Micro
2008-12-25 08:08:41 ----D---- C:\ComboFixx
2008-12-24 21:49:05 ----D---- C:\Program Files\Avira
2008-12-24 21:49:05 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2008-12-24 21:07:18 ----A---- C:\Boot.bak
2008-12-24 21:07:11 ----RASHD---- C:\cmdcons
2008-12-24 21:05:32 ----D---- C:\WINDOWS\ERDNT
2008-12-24 11:36:51 ----D---- C:\WINDOWS\pss
2008-12-23 23:32:04 ----D---- C:\Program Files\CCleaner
2008-12-23 18:15:43 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Lite
2008-12-23 17:47:43 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2008-12-22 21:27:57 ----D---- C:\Program Files\Lavasoft
2008-12-22 21:27:56 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-22 21:27:36 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-22 20:35:42 ----D---- C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-12-22 00:22:04 ----A---- C:\WINDOWS\system32\9333e210-.txt
2008-12-21 23:38:43 ----D---- C:\Program Files\iTunes
2008-12-21 23:37:56 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-12-21 23:37:00 ----D---- C:\Program Files\Apple Software Update
2008-12-21 23:36:22 ----D---- C:\Program Files\Common Files\Apple
2008-12-21 20:41:29 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-17 15:21:54 ----D---- C:\Program Files\Call of Duty
2008-12-17 15:21:07 ----A---- C:\WINDOWS\CoD.INI
2008-12-16 17:07:10 ----D---- C:\Program Files\Return to Castle Wolfenstein
2008-12-16 17:06:22 ----A---- C:\WINDOWS\Rtcw.INI
2008-12-16 14:08:20 ----D---- C:\Program Files\Eidos
2008-12-16 13:22:51 ----RHD---- C:\Documents and Settings\Mark\Application Data\SecuROM
2008-12-16 13:22:50 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-12-11 15:58:19 ----D---- C:\Program Files\MSECache
2008-12-10 03:04:55 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:01:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2009-01-09 14:27:42 ----D---- C:\Program Files\Mozilla Firefox
2009-01-09 14:27:32 ----D---- C:\WINDOWS\Prefetch
2009-01-09 14:27:28 ----D---- C:\WINDOWS\Temp
2009-01-09 14:27:28 ----D---- C:\WINDOWS\system32\drivers
2009-01-09 14:27:28 ----D---- C:\WINDOWS\system32
2009-01-09 14:27:24 ----D---- C:\WINDOWS
2009-01-09 14:25:46 ----A---- C:\WINDOWS\system.ini
2009-01-09 11:12:22 ----D---- C:\Documents and Settings\Mark\Application Data\OpenOffice.org2
2009-01-09 11:10:13 ----D---- C:\WINDOWS\system32\config
2009-01-09 11:09:05 ----D---- C:\WINDOWS\AppPatch
2009-01-09 11:09:05 ----D---- C:\Program Files\Common Files
2009-01-09 11:06:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-09 11:00:13 ----D---- C:\Program Files\PartyGaming
2009-01-09 10:59:14 ----SHD---- C:\WINDOWS\Installer
2009-01-09 10:59:07 ----D---- C:\Program Files\Java
2009-01-08 23:02:54 ----RD---- C:\Program Files
2009-01-07 17:50:54 ----D---- C:\WINDOWS\Minidump
2009-01-07 11:48:20 ----D---- C:\Documents and Settings\Mark\Application Data\uTorrent
2009-01-07 00:27:59 ----D---- C:\Downloads
2009-01-05 00:26:00 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-31 15:07:50 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-27 17:24:39 ----HD---- C:\WINDOWS\inf
2008-12-27 15:25:16 ----D---- C:\WINDOWS\system32\DirectX
2008-12-27 15:15:09 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-27 15:14:57 ----D---- C:\Program Files\Games
2008-12-27 14:51:13 ----D---- C:\Documents and Settings
2008-12-27 14:46:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-27 14:46:52 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-27 14:35:56 ----D---- C:\WINDOWS\Help
2008-12-27 13:56:45 ----D---- C:\DELL
2008-12-27 13:16:53 ----D---- C:\WINDOWS\Debug
2008-12-27 11:24:46 ----D---- C:\WINDOWS\WinSxS
2008-12-26 23:05:45 ----SD---- C:\Documents and Settings\Mark\Application Data\Microsoft
2008-12-26 23:03:56 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-26 16:06:26 ----HD---- C:\$AVG8.VAULT$
2008-12-25 08:20:05 ----RASH---- C:\boot.ini
2008-12-25 08:20:05 ----A---- C:\WINDOWS\win.ini
2008-12-25 08:08:48 ----SHD---- C:\System Volume Information
2008-12-25 08:08:48 ----D---- C:\WINDOWS\system32\Restore
2008-12-23 23:18:07 ----SD---- C:\WINDOWS\Tasks
2008-12-21 23:38:22 ----D---- C:\Program Files\QuickTime
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\java.exe
2008-12-18 01:16:26 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 14:30:34 ----D---- C:\Program Files\Wolfenstein - Enemy Territory
2008-12-15 14:27:37 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 15:58:32 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-12-11 15:58:31 ----RSD---- C:\WINDOWS\Fonts
2008-12-11 15:58:28 ----D---- C:\Program Files\Microsoft Office
2008-12-10 03:04:02 ----D---- C:\Program Files\Internet Explorer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-01-03 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-01-03 31504]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 emusba10;E-MU USB-Audio 1.0 Driver; C:\WINDOWS\system32\DRIVERS\emusba10.sys [2006-11-20 142208]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-12-17 37887]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-12-15 6209312]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 au7jqarx;au7jqarx; C:\WINDOWS\system32\drivers\au7jqarx.sys []
S3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
S3 cdrmkaun;cdrmkaun; \??\C:\DOCUME~1\Mark\LOCALS~1\Temp\cdrmkaun.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-01-03 618232]
R2 emaudsv;E-MU Audio Service; C:\WINDOWS\system32\emaudsv.exe [2006-11-20 10240]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-12-15 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-09-06 66872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:57 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6759 bytes

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 12 January 2009 - 02:28 PM

Hello Gummi De Milo,

Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

NEXT

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\fevusota.dll
c:\windows\system32\jelulede.dll
c:\windows\system32\wumoyuvo.dll
c:\windows\Tasks\czzaicca.job
c:\windows\Tasks\vxgbcjvz.job
C:\WINDOWS\system32\drivers\au7jqarx.sys

Driver:: 
au7jqarx

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please post back with C:\ComboFix.txt and a fresh RSIT log.

unite.jpg


#9 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 12 January 2009 - 03:43 PM

Here's the log

ComboFix 09-01-08.05 - Mark 2009-01-12 14:18:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1630 [GMT -6:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
FW: COMODO Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\au7jqarx.sys
c:\windows\system32\fevusota.dll
c:\windows\system32\jelulede.dll
c:\windows\system32\wumoyuvo.dll
c:\windows\Tasks\czzaicca.job
c:\windows\Tasks\vxgbcjvz.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fevusota.dll
c:\windows\system32\jelulede.dll
c:\windows\system32\wumoyuvo.dll
c:\windows\Tasks\czzaicca.job
c:\windows\Tasks\vxgbcjvz.job

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 14:06 . 2009-01-12 14:16 <DIR> d-------- C:\QUARANTINE
2009-01-11 17:25 . 2009-01-11 17:25 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-01-11 17:25 . 2009-01-12 14:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-11 17:25 . 2006-11-17 03:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-11 17:25 . 2006-11-17 03:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-01-11 17:24 . 2009-01-12 14:17 <DIR> d-------- c:\program files\McAfee
2009-01-08 23:02 . 2009-01-12 14:03 <DIR> d-------- c:\program files\VideoLAN
2009-01-08 23:02 . 2009-01-08 23:02 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-08 23:02 . 2009-01-11 22:50 <DIR> d-------- c:\program files\Graboid
2009-01-06 12:52 . 2009-01-06 12:52 <DIR> d-------- C:\rsit
2009-01-03 22:45 . 2009-01-03 22:45 <DIR> d-------- c:\program files\COMODO
2009-01-03 22:45 . 2009-01-03 22:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-03 22:45 . 2009-01-03 22:45 147,192 --a------ c:\windows\system32\guard32.dll
2009-01-03 22:45 . 2009-01-03 22:45 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-01-03 22:45 . 2009-01-03 22:45 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-31 14:40 . 2008-12-31 14:40 <DIR> d-------- c:\documents and settings\Mark\Application Data\Songbird2
2008-12-31 14:39 . 2008-12-31 14:49 <DIR> d-------- c:\program files\Songbird
2008-12-31 14:39 . 2008-12-31 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SongbirdVLC
2008-12-27 16:11 . 2009-01-08 15:22 23 --a------ c:\windows\BlendSettings.ini
2008-12-27 14:46 . 2008-12-27 14:46 <DIR> d-------- c:\program files\Intel
2008-12-27 14:31 . 2008-12-27 14:34 <DIR> d-------- c:\program files\Driver Sweeper
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools Pro
2008-12-27 12:42 . 2008-12-27 12:42 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools
2008-12-27 12:41 . 2008-12-27 12:41 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-27 12:41 . 2008-12-27 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2008-12-27 12:24 . 2008-12-15 14:17 13,680,640 --a------ c:\windows\system32\nvcpl.dll
2008-12-27 11:27 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2008-12-27 11:27 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2008-12-27 11:27 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2008-12-27 11:27 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2008-12-26 23:00 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-12-26 22:59 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys
2008-12-26 22:58 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-12-26 22:58 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll
2008-12-26 22:58 . 2001-08-17 12:48 148,352 --a--c--- c:\windows\system32\dllcache\3dfxvsm.sys
2008-12-26 22:58 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-12-26 22:58 . 2008-04-13 13:46 53,376 --a--c--- c:\windows\system32\dllcache\1394bus.sys
2008-12-26 22:58 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys
2008-12-26 17:10 . 2009-01-05 12:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 17:10 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 17:10 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 16:50 . 2008-12-26 16:50 61,440 --a------ c:\windows\system32\drivers\jnpohwol.sys
2008-12-26 16:12 . 2008-12-26 16:12 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2008-12-26 16:11 . 2008-12-26 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 08:21 . 2008-12-25 08:21 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 08:08 . 2008-12-25 08:08 <DIR> d-------- C:\ComboFixx
2008-12-23 23:32 . 2008-12-23 23:32 <DIR> d-------- c:\program files\CCleaner
2008-12-23 18:15 . 2008-12-23 18:15 <DIR> d-------- c:\documents and settings\Mark\Application Data\DAEMON Tools Lite
2008-12-23 17:47 . 2008-12-27 12:43 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-12-23 16:49 . 2008-12-23 16:49 1 --a------ c:\windows\system32\za.dat
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\program files\Lavasoft
2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-22 21:27 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 20:35 . 2008-12-22 20:35 <DIR> d-------- c:\documents and settings\Mark\Application Data\Apple Computer
2008-12-21 23:38 . 2008-12-31 15:08 <DIR> d-------- c:\program files\iTunes
2008-12-21 23:37 . 2008-12-21 23:37 <DIR> d-------- c:\program files\Apple Software Update
2008-12-21 23:37 . 2008-12-21 23:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-21 23:36 . 2008-12-31 15:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-21 20:41 . 2008-12-21 20:41 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-17 15:21 . 2009-01-09 19:39 <DIR> d-------- c:\program files\Call of Duty
2008-12-17 15:21 . 2008-12-17 17:32 766 --a------ c:\windows\CoD.INI
2008-12-16 17:07 . 2008-12-16 17:12 <DIR> d-------- c:\program files\Return to Castle Wolfenstein
2008-12-16 17:06 . 2008-12-16 17:11 810 --a------ c:\windows\Rtcw.INI
2008-12-16 14:08 . 2008-12-16 14:08 <DIR> d-------- c:\program files\Eidos
2008-12-16 13:22 . 2008-12-16 13:22 <DIR> dr-h----- c:\documents and settings\Mark\Application Data\SecuROM
2008-12-16 13:22 . 2008-12-16 13:22 107,888 --a------ c:\windows\system32\CmdLineExt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 20:14 --------- d-----w c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-01-09 17:00 --------- d-----w c:\program files\PartyGaming
2009-01-09 16:59 --------- d-----w c:\program files\Java
2009-01-07 17:48 --------- d-----w c:\documents and settings\Mark\Application Data\uTorrent
2008-12-27 21:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 21:14 --------- d-----w c:\program files\Games
2008-12-27 05:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-24 00:15 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-22 05:38 --------- d-----w c:\program files\QuickTime
2008-12-15 20:30 --------- d-----w c:\program files\Wolfenstein - Enemy Territory
2008-12-15 20:27 201,440 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-15 20:27 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-12 12:26 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-11 21:58 --------- d-----w c:\program files\MSECache
2008-11-24 03:27 --------- d-----w c:\program files\MagicISO
2008-11-24 03:16 --------- d-----w c:\program files\Rosetta Stone
2008-11-23 18:46 --------- d-----w c:\program files\The Weather Channel FW
2008-11-18 01:01 --------- d-----w c:\program files\Guitar Pro 5
2008-11-15 00:03 --------- d-----w c:\program files\K-Lite Codec Pack
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_14.26.43.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-12 20:14:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"E-MU USB Audio Control Panel"="c:\program files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe" [2006-11-17 274432]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-03 1797880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2008-12-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]
map_printer.bat [2008-09-07 144]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2006-11-17 13:39 136768 c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"d:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\aclauncher.exe"=
"d:\\Program Files\\Turbine\\Asheron's Call - Throne of Destiny\\acclient.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"c:\\Program Files\\Games\\RocketJockey\\Jockey.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Cisco Systems\\Clean Access Agent\\CCAAgent.exe"=
"c:\\Program Files\\Games\\Savage 2 - A Tortured Soul\\savage2.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-03 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-03 31504]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2006-11-20 142208]
R4 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2006-11-20 10240]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Mark\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Mark\LOCALS~1\Temp\cdrmkaun.sys [?]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ShStatEXE - c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\deq7gjtp.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 14:21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-12 14:22:46
ComboFix-quarantined-files.txt 2009-01-12 20:22:43
ComboFix2.txt 2009-01-09 20:27:23
ComboFix3.txt 2008-12-25 03:46:11

Pre-Run: 16,486,359,040 bytes free
Post-Run: 16,504,729,600 bytes free

209 --- E O F --- 2008-12-20 06:24:59

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 12 January 2009 - 04:06 PM

Please can you post a fresh RSIT log aswell.

Thanks

unite.jpg


#11 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 12 January 2009 - 10:15 PM

Here you go

Logfile of random's system information tool 1.05 (written by random/random)
Run by Mark at 2009-01-12 21:14:17
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 15 GB (7%) free of 234 GB
Total RAM: 2046 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:24 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\emaudsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [E-MU USB Audio Control Panel] "C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: map_printer.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1220570217765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6818 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-21 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-12-15 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-12-15 86016]
"COMODO Internet Security"=C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [2009-01-03 1797880]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-21 136600]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"Rainlendar2"=C:\Program Files\Rainlendar2\Rainlendar2.exe [2008-08-24 4067328]
"E-MU USB Audio Control Panel"=C:\Program Files\Creative Professional\E-MU USB Audio\E-MU USB Audio\EmuUsbAudioCP.exe [2006-11-17 274432]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-10 216520]
"DW6"=C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
map_printer.bat
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Mark\Start Menu\Programs\Startup
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Wolfenstein - Enemy Territory\ET.exe"="C:\Program Files\Wolfenstein - Enemy Territory\ET.exe:*:Enabled:ET"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\aclauncher.exe:*:Enabled:AC Launcher"
"D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe"="D:\Program Files\Turbine\Asheron's Call - Throne of Destiny\acclient.exe:*:Enabled:acclient"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\Mathematica.exe:*:Enabled:Mathematica 6 for Students"
"C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\MathKernel.exe:*:Enabled:Mathematica 6 for Students Kernel"
"C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe"="C:\Program Files\Wolfram Research\Mathematica\6.0\math.exe:*:Enabled:math.exe"
"C:\Program Files\Games\RocketJockey\Jockey.exe"="C:\Program Files\Games\RocketJockey\Jockey.exe:*:Enabled:Multiplayer Rocket Jockey"
"C:\Program Files\Call of Duty\CoDMP.exe"="C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"
"C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe"="C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe:*:Enabled:CCAAgent"
"C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe"="C:\Program Files\Games\Savage 2 - A Tortured Soul\savage2.exe:*:Enabled:savage2"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-01-12 14:32:29 ----D---- C:\Program Files\Common Files\McAfee
2009-01-12 14:22:47 ----A---- C:\ComboFix.txt
2009-01-12 14:17:40 ----SHD---- C:\Config.Msi
2009-01-12 14:06:20 ----D---- C:\QUARANTINE
2009-01-11 17:25:22 ----D---- C:\Program Files\Common Files\Cisco Systems
2009-01-11 17:25:22 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-01-11 17:25:22 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll.sig
2009-01-11 17:25:22 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll
2009-01-11 17:24:50 ----D---- C:\Program Files\McAfee
2009-01-09 14:32:48 ----SHD---- C:\RECYCLER
2009-01-09 11:02:47 ----A---- C:\WINDOWS\zip.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\VFIND.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWSC.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\SWREG.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\sed.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\grep.exe
2009-01-09 11:02:47 ----A---- C:\WINDOWS\fdsv.exe
2009-01-09 11:01:36 ----D---- C:\Qoobox
2009-01-08 23:02:54 ----D---- C:\Program Files\Mozilla ActiveX Control v1.7.12
2009-01-08 23:02:39 ----D---- C:\Program Files\VideoLAN
2009-01-08 23:02:38 ----D---- C:\Program Files\Graboid
2009-01-06 12:52:24 ----D---- C:\rsit
2009-01-03 22:45:39 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2009-01-03 22:45:38 ----A---- C:\WINDOWS\system32\guard32.dll
2009-01-03 22:45:37 ----D---- C:\Program Files\COMODO
2008-12-31 14:40:07 ----D---- C:\Documents and Settings\Mark\Application Data\Songbird2
2008-12-31 14:39:58 ----D---- C:\Documents and Settings\All Users\Application Data\SongbirdVLC
2008-12-31 14:39:42 ----D---- C:\Program Files\Songbird
2008-12-27 16:11:25 ----A---- C:\WINDOWS\BlendSettings.ini
2008-12-27 14:46:03 ----D---- C:\Program Files\Intel
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvwrszht.dll
2008-12-27 14:35:56 ----A---- C:\WINDOWS\system32\nvrszht.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrstr.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvwrsth.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrszhc.dll
2008-12-27 14:35:55 ----A---- C:\WINDOWS\system32\nvrstr.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvwrssl.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrsth.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssv.dll
2008-12-27 14:35:54 ----A---- C:\WINDOWS\system32\nvrssl.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvwrsru.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrssk.dll
2008-12-27 14:35:53 ----A---- C:\WINDOWS\system32\nvrsru.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvwrspt.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrsptb.dll
2008-12-27 14:35:52 ----A---- C:\WINDOWS\system32\nvrspt.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvwrsno.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrspl.dll
2008-12-27 14:35:51 ----A---- C:\WINDOWS\system32\nvrsno.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvwrsko.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsnl.dll
2008-12-27 14:35:50 ----A---- C:\WINDOWS\system32\nvrsko.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvwrshu.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsja.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrsit.dll
2008-12-27 14:35:49 ----A---- C:\WINDOWS\system32\nvrshu.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvwrsesm.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrshe.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfr.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsfi.dll
2008-12-27 14:35:48 ----A---- C:\WINDOWS\system32\nvrsesm.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvwrsel.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrses.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrseng.dll
2008-12-27 14:35:47 ----A---- C:\WINDOWS\system32\nvrsel.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvwrsda.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsde.dll
2008-12-27 14:35:46 ----A---- C:\WINDOWS\system32\nvrsda.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvwrscs.dll
2008-12-27 14:35:45 ----A---- C:\WINDOWS\system32\nvrscs.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nwiz.exe
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwimg.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvshell.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvrsar.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcpluir.dll
2008-12-27 14:35:44 ----A---- C:\WINDOWS\system32\nvcplui.exe
2008-12-27 14:35:43 ----D---- C:\WINDOWS\nview
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvudisp.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nview.dll
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvcolor.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\nvappbar.exe
2008-12-27 14:35:43 ----A---- C:\WINDOWS\system32\keystone.exe
2008-12-27 14:35:21 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2008-12-27 14:33:28 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-27 14:31:54 ----D---- C:\Program Files\Driver Sweeper
2008-12-27 13:57:22 ----A---- C:\h.txt
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Pro
2008-12-27 12:42:08 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools
2008-12-27 12:41:22 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2008-12-27 12:41:16 ----D---- C:\Program Files\DAEMON Tools Lite
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwssr.dll
2008-12-27 12:24:57 ----A---- C:\WINDOWS\system32\nvwss.dll
2008-12-27 12:24:56 ----A---- C:\WINDOWS\system32\nvwddi.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvsr.dll
2008-12-27 12:24:55 ----A---- C:\WINDOWS\system32\nvvitvs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmoblsr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmobls.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmctray.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccssr.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccss.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccsrs.dll
2008-12-27 12:24:53 ----A---- C:\WINDOWS\system32\nvmccs.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgamesr.dll
2008-12-27 12:24:52 ----A---- C:\WINDOWS\system32\nvgames.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdispsr.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvdisps.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcuda.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcpl.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcodins.dll
2008-12-27 12:24:51 ----A---- C:\WINDOWS\system32\nvcod.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nvapi.dll
2008-12-27 12:24:50 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2008-12-27 11:27:07 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-12-27 11:27:04 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2008-12-27 11:27:01 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-12-27 11:26:59 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-12-27 11:26:58 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-12-27 11:26:57 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-27 11:26:56 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-27 11:26:55 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-27 11:26:54 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-27 11:26:53 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-27 11:26:52 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-26 17:10:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-26 16:50:32 ----A---- C:\WINDOWS\zvatxvc.txt
2008-12-26 16:12:53 ----D---- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-12-26 16:11:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-25 08:21:18 ----D---- C:\Program Files\Trend Micro
2008-12-25 08:08:41 ----D---- C:\ComboFixx
2008-12-24 21:07:18 ----A---- C:\Boot.bak
2008-12-24 21:07:11 ----RASHD---- C:\cmdcons
2008-12-24 21:05:32 ----D---- C:\WINDOWS\ERDNT
2008-12-24 11:36:51 ----D---- C:\WINDOWS\pss
2008-12-23 23:32:04 ----D---- C:\Program Files\CCleaner
2008-12-23 18:15:43 ----D---- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Lite
2008-12-23 17:47:43 ----A---- C:\WINDOWS\system32\CmdLineExt03.dll
2008-12-22 21:27:57 ----D---- C:\Program Files\Lavasoft
2008-12-22 21:27:56 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-22 21:27:36 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-22 20:35:42 ----D---- C:\Documents and Settings\Mark\Application Data\Apple Computer
2008-12-22 00:22:04 ----A---- C:\WINDOWS\system32\9333e210-.txt
2008-12-21 23:38:43 ----D---- C:\Program Files\iTunes
2008-12-21 23:37:56 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-12-21 23:37:00 ----D---- C:\Program Files\Apple Software Update
2008-12-21 23:36:22 ----D---- C:\Program Files\Common Files\Apple
2008-12-21 20:41:29 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-17 15:21:54 ----D---- C:\Program Files\Call of Duty
2008-12-17 15:21:07 ----A---- C:\WINDOWS\CoD.INI
2008-12-16 17:07:10 ----D---- C:\Program Files\Return to Castle Wolfenstein
2008-12-16 17:06:22 ----A---- C:\WINDOWS\Rtcw.INI
2008-12-16 14:08:20 ----D---- C:\Program Files\Eidos
2008-12-16 13:22:51 ----RHD---- C:\Documents and Settings\Mark\Application Data\SecuROM
2008-12-16 13:22:50 ----A---- C:\WINDOWS\system32\CmdLineExt.dll

======List of files/folders modified in the last 1 months======

2009-01-12 20:38:11 ----D---- C:\Program Files\Mozilla Firefox
2009-01-12 19:11:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-12 16:49:17 ----D---- C:\WINDOWS\Temp
2009-01-12 14:34:19 ----SHD---- C:\WINDOWS\Installer
2009-01-12 14:34:18 ----D---- C:\WINDOWS
2009-01-12 14:32:40 ----D---- C:\WINDOWS\system32\drivers
2009-01-12 14:32:29 ----D---- C:\Program Files\Common Files
2009-01-12 14:22:51 ----D---- C:\WINDOWS\system32
2009-01-12 14:21:47 ----A---- C:\WINDOWS\system.ini
2009-01-12 14:20:37 ----D---- C:\WINDOWS\AppPatch
2009-01-12 14:18:55 ----SD---- C:\WINDOWS\Tasks
2009-01-12 14:18:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-12 14:14:38 ----D---- C:\Documents and Settings\Mark\Application Data\OpenOffice.org2
2009-01-12 14:12:37 ----RASH---- C:\boot.ini
2009-01-12 14:12:37 ----A---- C:\WINDOWS\win.ini
2009-01-12 14:11:20 ----D---- C:\WINDOWS\Prefetch
2009-01-11 17:24:50 ----RD---- C:\Program Files
2009-01-11 17:13:05 ----D---- C:\WINDOWS\Minidump
2009-01-09 11:10:13 ----D---- C:\WINDOWS\system32\config
2009-01-09 11:00:13 ----D---- C:\Program Files\PartyGaming
2009-01-09 10:59:07 ----D---- C:\Program Files\Java
2009-01-07 11:48:20 ----D---- C:\Documents and Settings\Mark\Application Data\uTorrent
2009-01-07 00:27:59 ----D---- C:\Downloads
2008-12-31 15:07:50 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-27 17:24:39 ----HD---- C:\WINDOWS\inf
2008-12-27 15:25:16 ----D---- C:\WINDOWS\system32\DirectX
2008-12-27 15:15:09 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-27 15:14:57 ----D---- C:\Program Files\Games
2008-12-27 14:51:13 ----D---- C:\Documents and Settings
2008-12-27 14:46:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-27 14:46:52 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-12-27 14:35:56 ----D---- C:\WINDOWS\Help
2008-12-27 13:56:45 ----D---- C:\DELL
2008-12-27 13:16:53 ----D---- C:\WINDOWS\Debug
2008-12-27 11:24:46 ----D---- C:\WINDOWS\WinSxS
2008-12-26 23:05:45 ----SD---- C:\Documents and Settings\Mark\Application Data\Microsoft
2008-12-26 23:03:56 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-12-26 16:06:26 ----HD---- C:\$AVG8.VAULT$
2008-12-25 08:08:48 ----SHD---- C:\System Volume Information
2008-12-25 08:08:48 ----D---- C:\WINDOWS\system32\Restore
2008-12-21 23:38:22 ----D---- C:\Program Files\QuickTime
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-21 20:41:22 ----A---- C:\WINDOWS\system32\java.exe
2008-12-18 01:16:26 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-15 14:30:34 ----D---- C:\Program Files\Wolfenstein - Enemy Territory
2008-12-15 14:27:37 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cmdGuard;COMODO Internet Security Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-01-03 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-01-03 31504]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-03-31 180736]
R3 emusba10;E-MU USB-Audio 1.0 Driver; C:\WINDOWS\system32\DRIVERS\emusba10.sys [2006-11-20 142208]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-12-17 37887]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-12-15 6209312]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ajueqfs2;ajueqfs2; C:\WINDOWS\system32\drivers\ajueqfs2.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 cdrmkaun;cdrmkaun; \??\C:\DOCUME~1\Mark\LOCALS~1\Temp\cdrmkaun.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [2009-01-03 618232]
R2 emaudsv;E-MU Audio Service; C:\WINDOWS\system32\emaudsv.exe [2006-11-20 10240]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2006-11-30 54872]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-12-15 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-09-06 66872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 13 January 2009 - 02:50 PM

Hi :thumbsup:

We have got an entry that keeps reappearing so we will need to look a little deeper with a rootkit scan.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.

unite.jpg


#13 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 14 January 2009 - 09:36 PM

The download does not seem to be working, do you have somewhere else I can get it from?

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:01 AM

Posted 15 January 2009 - 07:58 AM

Hi,

Thats strange the link works for me, anyways try either of these links.

http://majorgeeks.com/F-Secure_BlackLight_d5156.html

http://www.softpedia.com/get/Antivirus/F-S...Detection.shtml

Edited by syler, 15 January 2009 - 03:06 PM.

unite.jpg


#15 Gummi De Milo

Gummi De Milo
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 17 January 2009 - 12:28 AM

Is this what you wanted?

01/16/09 23:15:12 [Info]: BlackLight Engine 2.2.1092 initialized
01/16/09 23:15:12 [Info]: OS: 5.1 build 2600 (Service Pack 3)
01/16/09 23:15:12 [Note]: 7019 4
01/16/09 23:15:12 [Note]: 7005 0
01/16/09 23:15:17 [Note]: 7006 0
01/16/09 23:15:17 [Note]: 7022 0
01/16/09 23:15:17 [Note]: 7011 976
01/16/09 23:15:17 [Note]: 7035 0
01/16/09 23:15:17 [Note]: 7026 0
01/16/09 23:15:17 [Note]: 7026 0
01/16/09 23:15:17 [Note]: FSRAW library version 1.7.1024
01/16/09 23:27:01 [Note]: 7007 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users