Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect, regedit, and reboot problem. Please help.


  • This topic is locked This topic is locked
27 replies to this topic

#1 mumachine

mumachine

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 15 April 2009 - 03:19 PM

Hello,

Iím having a spyware / malware problem that I donít know how to fix. Iím running Windows XP service pack 3. The symptoms are:

(1) My browser, either Internet Explorer or Firefox, is redirected.

(2) I canít run regedit either from the command line or by directly clicking on the executable. When I try to run regedit the scan flashes, all open programs close, and the machine resets to the same state as after bootup except with fewer programs running. This happens even in safe mode. I can execute other programs, just not regedit, using the run command line.

(3) My computer sometimes completely reboots when is should not.

Iíve scanned with McAfee Antivirus, SpyBot Search and Destroy, AdAware Anniversary Edition, and Malwarebytes Anti-Malware. These programs have all found nothing.

Iím do not know what else I can try and would greatly appreciate any help. My hijackthis log is as follows. Also, my computer was infected by Vundo a couple months ago. I think I removed / disabled that infection, but there may be some remains of it showing in the long.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:40 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {343CED9E-A6BA-4B8E-B158-0330C005C5B2} - C:\WINDOWS\system32\pmnmmLFX.dll (file missing)
O2 - BHO: (no name) - {35CDB04B-5691-417A-84DA-8F39D529BD5B} - (no file)
O2 - BHO: (no name) - {51579589-3F8F-4D47-B469-1E2C0EA9D9BB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6ef417aa-15f2-415b-b52d-edbb8ddb711b} - C:\WINDOWS\system32\gktjxk.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163907851503
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O20 - AppInit_DLLs: gktjxk.dll
O20 - Winlogon Notify: nnnnOeCt - nnnnOeCt.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe

--
End of file - 7947 bytes

Thank you for your time and help!

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 April 2009 - 12:50 AM

Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ĎShow Allí.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. RSIT log.txt
2. RSIT info.txt
3. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 17 April 2009 - 08:57 PM

fenzodahl512, thanks for the reply.

The contents of the RSIT.exe log.txt file are as follows:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Keith Bourne at 2009-04-17 14:56:38
Microsoft Windows XP Professional Service Pack 3
System drive C: has 27 GB (18%) free of 153 GB
Total RAM: 2046 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:49 PM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith Bourne\Desktop\RSIT.exe
C:\HiJackThis\Keith Bourne.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {343CED9E-A6BA-4B8E-B158-0330C005C5B2} - C:\WINDOWS\system32\pmnmmLFX.dll (file missing)
O2 - BHO: (no name) - {35CDB04B-5691-417A-84DA-8F39D529BD5B} - (no file)
O2 - BHO: (no name) - {51579589-3F8F-4D47-B469-1E2C0EA9D9BB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6ef417aa-15f2-415b-b52d-edbb8ddb711b} - C:\WINDOWS\system32\gktjxk.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163907851503
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O20 - AppInit_DLLs: gktjxk.dll
O20 - Winlogon Notify: nnnnOeCt - nnnnOeCt.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe

--
End of file - 7947 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{343CED9E-A6BA-4B8E-B158-0330C005C5B2}]
C:\WINDOWS\system32\pmnmmLFX.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35CDB04B-5691-417A-84DA-8F39D529BD5B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51579589-3F8F-4D47-B469-1E2C0EA9D9BB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6ef417aa-15f2-415b-b52d-edbb8ddb711b}]
C:\WINDOWS\system32\gktjxk.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [2003-09-17 57344]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"ShStatEXE"=C:\Program Files\N [2009-04-12 9216]
"McAfeeUpdaterUI"=C:\Program Files\N [2009-04-12 9216]
"Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514]
"type32"=C:\Program Files\Microsoft IntelliType Pro\type32.exe [2004-06-03 172032]
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe [2002-09-10 368706]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-04-08 515416]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-29 61440]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cc9b7c5f]
C:\WINDOWS\system32\kmykpjmj.dll,b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-04-26 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2006-02-23 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-04-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~3\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Keith Bourne^Start Menu^Programs^Startup^Indigo Prophecy Registration.lnk]
C:\WINDOWS\INSTAL~1\MSI12.tmp [2005-12-20 11128832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="gktjxk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-01-05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnnOeCt]
nnnnOeCt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnmmLFX

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Valve\Steam\Steam.exe"="C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Valve\Steam\SteamApps\kbourne2\half-life 2\hl2.exe"="C:\Program Files\Valve\Steam\SteamApps\kbourne2\half-life 2\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Sierra\FEAR\fpupdate.exe"="C:\Program Files\Sierra\FEAR\fpupdate.exe:*:Enabled:fpupdate"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:Framework Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\National Instruments\LabVIEW 7.1\LabVIEW.exe"="C:\Program Files\National Instruments\LabVIEW 7.1\LabVIEW.exe:*:Enabled:LabVIEW 7.1.1 Development System"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Wolfram Research\Mathematica\5.2\Mathematica.exe"="C:\Program Files\Wolfram Research\Mathematica\5.2\Mathematica.exe:*:Enabled:Mathematica 5.2 for Students"
"C:\Program Files\Wolfram Research\Mathematica\5.2\MathKernel.exe"="C:\Program Files\Wolfram Research\Mathematica\5.2\MathKernel.exe:*:Enabled:Mathematica 5.2 for Students Kernel"
"C:\Program Files\Wolfram Research\Mathematica\5.2\math.exe"="C:\Program Files\Wolfram Research\Mathematica\5.2\math.exe:*:Enabled:math.exe"
"C:\Program Files\Valve\Steam\SteamApps\common\fear2\FEAR2.exe"="C:\Program Files\Valve\Steam\SteamApps\common\fear2\FEAR2.exe:*:Enabled:F.E.A.R. 2: Project Origin"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe660fe6-98fc-11db-9fe1-001143ca9816}]
shell\AutoRun\command - F:\LaunchU3.exe


======List of files/folders created in the last 3 months======

2009-04-17 14:56:38 ----D---- C:\rsit
2009-04-17 09:08:06 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-17 09:07:59 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-17 09:05:41 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-17 09:05:24 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-17 09:05:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-17 01:51:55 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-17 01:44:44 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-14 18:00:40 ----D---- C:\HiJackThis
2009-04-13 01:28:18 ----D---- C:\SDFix
2009-04-13 01:17:30 ----D---- C:\Avenger
2009-04-12 18:38:52 ----D---- C:\Documents and Settings\Keith Bourne\Application Data\Malwarebytes
2009-04-12 18:38:46 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-12 18:38:45 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-07 18:24:38 ----D---- C:\Program Files\Tomb Raider - Legend
2009-04-03 22:37:25 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-03 22:37:25 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-03 22:37:25 ----A---- C:\WINDOWS\system32\java.exe
2009-03-28 16:04:25 ----D---- C:\AFM Files
2009-03-28 15:36:09 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2009-03-28 15:36:09 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2009-03-28 15:36:09 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2009-03-28 15:36:06 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2009-03-28 15:36:04 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2009-03-28 15:36:04 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2009-03-28 15:36:03 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2009-03-28 15:36:02 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2009-03-28 15:35:42 ----D---- C:\WINDOWS\Logs
2009-03-27 21:26:21 ----D---- C:\Documents and Settings\Keith Bourne\Application Data\ATI
2009-03-27 21:26:21 ----D---- C:\Documents and Settings\All Users\Application Data\ATI
2009-03-27 21:21:48 ----D---- C:\Program Files\Common Files\ATI Technologies
2009-03-27 21:20:46 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2009-03-27 21:20:43 ----RA---- C:\WINDOWS\system32\ATIODE.exe.manifest
2009-03-27 21:20:43 ----RA---- C:\WINDOWS\system32\ATIODCLI.exe.manifest
2009-03-27 21:20:43 ----RA---- C:\WINDOWS\system32\atiiiexx.dll
2009-03-27 21:20:38 ----RA---- C:\WINDOWS\system32\ATIDEMGX.dll
2009-03-27 21:20:15 ----D---- C:\Program Files\ATI Technologies
2009-03-27 21:11:18 ----A---- C:\WINDOWS\WININIT.INI
2009-03-10 20:37:05 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-10 20:36:59 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-10 20:36:51 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-02-25 08:41:33 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-12 21:37:57 ----D---- C:\Documents and Settings\Keith Bourne\Application Data\Mozilla
2009-02-12 19:44:57 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 09:31:03 ----D---- C:\VundoFix Backups
2009-02-10 18:48:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-10 18:33:52 ----A---- C:\WINDOWS\system32\lsdelete.exe
2009-02-10 14:56:56 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-02-10 14:56:16 ----HDC---- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-10 14:55:57 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-10 02:44:08 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-02-10 02:44:08 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-02-10 02:44:07 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-10 02:44:04 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-02-09 23:04:56 ----A---- C:\WINDOWS\system32\c7b8b821-.txt

======List of files/folders modified in the last 3 months======

2009-04-17 14:56:25 ----D---- C:\WINDOWS\Prefetch
2009-04-17 14:54:29 ----D---- C:\WINDOWS\Temp
2009-04-17 14:54:04 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-04-17 09:26:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-17 09:13:51 ----D---- C:\WINDOWS\SYSTEM32
2009-04-17 09:13:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-17 09:10:18 ----D---- C:\WINDOWS
2009-04-17 09:09:32 ----D---- C:\WINDOWS\system32\WBEM
2009-04-17 09:08:10 ----HD---- C:\WINDOWS\INF
2009-04-17 09:08:09 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-04-17 09:08:02 ----A---- C:\WINDOWS\imsins.BAK
2009-04-17 09:07:45 ----D---- C:\WINDOWS\system32\en-US
2009-04-17 09:07:45 ----D---- C:\Program Files\Internet Explorer
2009-04-17 09:07:24 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-17 09:05:34 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-17 09:01:06 ----D---- C:\WINDOWS\AppPatch
2009-04-14 22:33:00 ----RASH---- C:\BOOT.INI
2009-04-14 22:33:00 ----A---- C:\WINDOWS\WIN.INI
2009-04-14 22:33:00 ----A---- C:\WINDOWS\SYSTEM.INI
2009-04-14 08:56:21 ----SHD---- C:\System Volume Information
2009-04-14 08:56:21 ----D---- C:\WINDOWS\system32\Restore
2009-04-13 15:47:24 ----D---- C:\WINDOWS\pss
2009-04-13 01:17:30 ----RD---- C:\Program Files
2009-04-13 01:17:30 ----D---- C:\WINDOWS\system32\DRIVERS
2009-04-08 02:29:42 ----D---- C:\WINDOWS\system32\FxsTmp
2009-04-06 09:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-03 22:38:21 ----SHD---- C:\WINDOWS\Installer
2009-04-03 22:37:23 ----D---- C:\Program Files\Java
2009-04-03 22:33:59 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-03 20:45:00 ----D---- C:\WINDOWS\Minidump
2009-04-02 02:50:34 ----A---- C:\WINDOWS\caligari.ini
2009-03-28 15:36:10 ----D---- C:\WINDOWS\system32\DirectX
2009-03-27 21:26:24 ----D---- C:\WINDOWS\system32\CONFIG
2009-03-27 21:23:34 ----RSD---- C:\WINDOWS\ASSEMBLY
2009-03-27 21:23:26 ----D---- C:\WINDOWS\WinSxS
2009-03-27 21:21:48 ----D---- C:\Program Files\Common Files
2009-03-27 21:20:32 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-27 01:01:43 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-24 22:52:39 ----D---- C:\V530r2
2009-03-21 23:17:31 ----A---- C:\WINDOWS\matlab.ini
2009-03-21 09:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll
2009-03-19 02:05:33 ----D---- C:\Documents and Settings\Keith Bourne\Application Data\Command & Conquer 3 Tiberium Wars
2009-03-09 05:19:08 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-06 09:22:18 ----A---- C:\WINDOWS\system32\pdh.dll
2009-03-02 19:18:25 ----A---- C:\WINDOWS\system32\wininet.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\url.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\occache.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\mstime.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\msrating.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-02-20 13:09:38 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-02-20 13:09:37 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\icardie.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-02-20 13:09:36 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-02-20 13:09:35 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-02-20 13:09:35 ----A---- C:\WINDOWS\system32\advpack.dll
2009-02-20 05:20:49 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-02-20 05:20:49 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-02-20 00:14:12 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-02-10 14:55:57 ----D---- C:\Program Files\Lavasoft
2009-02-10 12:23:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-09 23:05:06 ----D---- C:\quarantine
2009-02-09 07:10:49 ----A---- C:\WINDOWS\system32\lsasrv.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\rpcss.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\ntdll.dll
2009-02-09 07:10:48 ----A---- C:\WINDOWS\system32\advapi32.dll
2009-02-06 06:11:05 ----A---- C:\WINDOWS\system32\services.exe
2009-02-06 06:06:41 ----A---- C:\WINDOWS\system32\ntoskrnl.exe
2009-02-06 05:39:08 ----A---- C:\WINDOWS\system32\sc.exe
2009-02-06 05:32:56 ----A---- C:\WINDOWS\system32\ntkrnlpa.exe
2009-02-03 14:59:07 ----A---- C:\WINDOWS\system32\secur32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2007-11-26 59904]
R2 cvintdrv;cvintdrv; C:\WINDOWS\system32\drivers\cvintdrv.sys [2003-07-29 7140]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-01-05 3452928]
R3 AtiHdmiService;ATI Function Driver for HDMI Service; C:\WINDOWS\system32\drivers\AtiHdmi.sys [2009-01-05 93184]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-05-29 186112]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2005-02-02 14408]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2007-11-26 117024]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 840960]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2003-05-14 10144]
R3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2003-05-14 21216]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2003-05-14 44288]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 gkmixern;gkmixern; \??\C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\gkmixern.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2003-05-14 5728]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-01-05 598016]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-08 951632]
R2 matlabserver;MATLAB Server; C:\matlab_sv13\webserver\bin\win32\matlabserver.exe [2002-06-18 503808]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\N [2009-04-12 9216]
R2 McShield;Network Associates McShield; C:\Program Files\N [2009-04-12 9216]
R2 McTaskManager;Network Associates Task Manager; C:\Program Files\N [2009-04-12 9216]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 niSvcLoc;NI Service Locator; C:\WINDOWS\system32\niSvcLoc.exe [2003-05-01 49152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
S2 ATI Smart;ATI Smart; C:\WINDOWS\SYSTEM32\ati2sgag.exe [2008-12-01 593920]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPodService;iPodService; C:\Program Files\iPod\bin\iPodService.exe [2006-02-23 323584]
S3 NILM License manager;NILM License manager; C:\Program Files\N [2009-04-12 9216]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

#4 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 17 April 2009 - 08:59 PM

The contents of the RSIT.exe info.txt file are as follows:

info.txt logfile of random's system information tool 1.06 2009-04-17 14:56:52

======Uninstall list======

-->"C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Illustrator CS-->RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Reader Korean Fonts-->MsiExec.exe /I{AC76BA86-7AD7-5670-0000-7E8A45000001}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs-->MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
BasicX 2.10-->"C:\Program Files\BasicX\setup\setup.exe" /u
Broadcom Advanced Control Suite 2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
BroadJump Client Foundation-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Caligari trueSpace4.3-->C:\WINDOWS\uninst.exe -fC:\ts4.3\DeIsL1.isu
Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}
Command & Conquer 3-->MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Doom 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
F.E.A.R. 2: Project Origin-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/16450
GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Video Player-->"C:\Program Files\Google\Google Video Player\Uninstall.exe"
Haali Media Splitter-->"C:\Program Files\Matroska Pack\haali\uninstall.exe"
Half-Life 2: Episode Two-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/420
Half-Life® 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HijackThis 2.0.2-->"C:\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
InstallShield for Microsoft Visual C++ 6-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\InstallShield\InstallShield for Microsoft Visual C++ 6\Uninst.isu"
Intel RSX 3D-->C:\WINDOWS\uninst.exe -fC:\WINDOWS\system32\DeIsL1.isu
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech Gaming Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93EC14D5-7AAA-4EAD-BB75-013817A96598}\Setup.Exe" -l0x9
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mathematica 5.2 for Students-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FC10C290-6E4D-4C6B-A8B3-33700C21F9E6}
MathType 5-->"C:\Program Files\MathType\Setup.exe" -R
MATLAB 6.5-->C:\matlab_sv13\uninstall\uninstall.exe C:\matlab_sv13
Matroska Pack-->C:\Program Files\Matroska Pack\uninstall.exe
McAfee VirusScan Enterprise-->MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual Studio .NET Professional 2003 - English-->"C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Professional 2003 - English\setup.exe" /MaintMode
Microsoft Visual Studio 6.0 Professional Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSDN Library - January 2004-->MsiExec.exe /I{EA0F7942-CA59-4672-8DD6-513DFC5E4167}
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
National Instruments Software-->"C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe"
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Paint.NET v3.31-->MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
PCB123 V2-->"C:\Program Files\PCB123 V2\Uninstall.exe" "C:\Program Files\PCB123 V2\install.log"
PhotoStudio 2.0 SE-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoStudio\Uninst.isu"
Portal-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/400
PowerDVD 5.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
PTALKDT PRO-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71375385-59C0-11D5-8343-005004C33D85}\setup.exe"
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
resident evil 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E07F4F90-2BC6-4843-B62D-309D9170986E}\install.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sound Blaster Live! 24-bit-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Steam™-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Team Fortress 2-->"C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/440
Terragen-->MsiExec.exe /I{5CC86AA7-3D8F-4E40-AC37-ADBA0F4B5819}
Tomb Raider: Legend 1.2-->C:\Program Files\Tomb Raider - Legend\uninsttrl.exe
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VDownloader 0.75-->"C:\Program Files\VDOWNLOADER\unins000.exe"
Viewer-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{D33DE13A-9F12-45F5-94AB-02CFC2288C86}
Vision32 Version 2.210-->C:\PROGRA~1\WYKO\Vision32\UNWISE.EXE C:\PROGRA~1\WYKO\Vision32\INSTALL.LOG
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WinAce Archiver-->"C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wintermute Engine Development Kit 1.8.5-->"C:\Program Files\WME DevKit\unins000.exe"
Wolfram Notebook Indexer 1.1-->MsiExec.exe /I{E24A7D40-D12E-4A11-8DEC-7BB21BE4614D}

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======System event log======

Computer Name: DHPJMS71
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001143CA9816. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 11439
Source Name: Dhcp
Time Written: 20090227084043.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001143CA9816. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 11433
Source Name: Dhcp
Time Written: 20090226170515.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 1003
Message: Error code 10000050, parameter1 e369a000, parameter2 00000000, parameter3 80582627, parameter4 00000001.

Record Number: 11423
Source Name: System Error
Time Written: 20090225074502.000000-360
Event Type: error
User:

Computer Name: DHPJMS71
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001143CA9816. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 11390
Source Name: Dhcp
Time Written: 20090225074022.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 1000
Message: Your computer has lost the lease to its IP address 192.168.1.64 on the
Network Card with network address 001143CA9816.

Record Number: 11382
Source Name: Dhcp
Time Written: 20090224183111.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: DHPJMS71
Event Code: 257
Message: VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric6.zip\sbRecovery.reg. Scan engine version used is 5300 DAT version 5532.(from DHPJMS71 IP 192.168.1.64 user SYSTEM running VirusScan Enter 8.0 Scan All Fixed )

Record Number: 7565
Source Name: Alert Manager Event Interface
Time Written: 20090222043719.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 257
Message: VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric5.zip\sbRecovery.reg. Scan engine version used is 5300 DAT version 5532.(from DHPJMS71 IP 192.168.1.64 user SYSTEM running VirusScan Enter 8.0 Scan All Fixed )

Record Number: 7564
Source Name: Alert Manager Event Interface
Time Written: 20090222043719.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 257
Message: VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric4.zip\sbRecovery.reg. Scan engine version used is 5300 DAT version 5532.(from DHPJMS71 IP 192.168.1.64 user SYSTEM running VirusScan Enter 8.0 Scan All Fixed )

Record Number: 7563
Source Name: Alert Manager Event Interface
Time Written: 20090222043719.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 257
Message: VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric3.zip\sbRecovery.reg. Scan engine version used is 5300 DAT version 5532.(from DHPJMS71 IP 192.168.1.64 user SYSTEM running VirusScan Enter 8.0 Scan All Fixed )

Record Number: 7562
Source Name: Alert Manager Event Interface
Time Written: 20090222043718.000000-360
Event Type: warning
User:

Computer Name: DHPJMS71
Event Code: 257
Message: VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip\sbRecovery.reg. Scan engine version used is 5300 DAT version 5532.(from DHPJMS71 IP 192.168.1.64 user SYSTEM running VirusScan Enter 8.0 Scan All Fixed )

Record Number: 7561
Source Name: Alert Manager Event Interface
Time Written: 20090222043718.000000-360
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\matlab_sv13\bin\win32;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"INCLUDE"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
"LIB"=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
"VS71COMNTOOLS"=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
"CLASSPATH"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"KMP_DUPLICATE_LIB_OK"=TRUE
"MKL_SERIAL"=YES

-----------------EOF-----------------

#5 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 17 April 2009 - 09:02 PM

The GMER Result file is attached.

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 17 April 2009 - 09:24 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 18 April 2009 - 01:45 PM

I disabled all of my antivirus/antispyware/firewall protection and then ran combofix.exe.

This caused a small progress bar to come up, presumably while the combofix files were extracted to my C drive. After this a C:\ prompt window came up that was blank except of a flashing cursor. This is the same type window that I would have expected to intially say "Please wait. ComboFix is preparing to run.", based on the combofix instructions.

I waited 20+ minutes for something to happen, but no messages appeared in the window and no futher prompts from combofix were generated.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 18 April 2009 - 02:01 PM

exit ComboFix.. Remove the ComboFix and find C:\qoobox folder and delete it.. Then do below..

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 18 April 2009 - 04:31 PM

Renaming the file worked. Combofix.exe executed, Recovery Console was successfully installed, and ComboFix performed its scan.

The only issue was that once ComboFix rebooted the computer, following the scan, McAffe Virus Scan Console Virus on Access Scan restarted. This is despite it being disabled prior to running ComboFix. The Virus on Access Scan then automatically removed Comb-fix.exe form the desktop and deleted C:\Combo-Fix\psexec.cfexe while ComboFix was making its log file.

I'm not sure if this issue with McAffe was a problem or not.
A ComboFix log file was successfully created and is as follows.
Also regedit.exe now works!

ComboFix 09-04-19.01 - Keith Bourne 04/18/2009 15:16:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1513 [GMT -5:00]
Running from: C:\Documents and Settings\Keith Bourne\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 17:52:48 . 2009-04-18 20:21:50 0 d-----w C:\quarantine
2009-04-17 19:56:38 . 2009-04-17 19:56:52 0 d-----w C:\rsit
2009-04-17 06:45:57 . 2009-03-06 14:22:18 284160 ------w C:\WINDOWS\system32\dllcache\pdh.dll
2009-04-17 06:45:57 . 2009-02-09 12:10:48 473600 ------w C:\WINDOWS\system32\dllcache\fastprox.dll
2009-04-17 06:45:57 . 2009-02-09 12:10:48 401408 ------w C:\WINDOWS\system32\dllcache\rpcss.dll
2009-04-17 06:45:57 . 2009-02-06 11:11:05 110592 ------w C:\WINDOWS\system32\dllcache\services.exe
2009-04-17 06:45:57 . 2009-02-06 10:39:08 35328 ------w C:\WINDOWS\system32\dllcache\sc.exe
2009-04-17 06:45:56 . 2009-02-09 12:10:49 729088 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2009-04-17 06:45:56 . 2009-02-09 12:10:48 714752 ------w C:\WINDOWS\system32\dllcache\ntdll.dll
2009-04-17 06:45:56 . 2009-02-09 12:10:48 617472 ------w C:\WINDOWS\system32\dllcache\advapi32.dll
2009-04-17 06:45:56 . 2009-02-09 12:10:48 453120 ------w C:\WINDOWS\system32\dllcache\wmiprvsd.dll
2009-04-17 06:45:56 . 2009-02-06 10:10:02 227840 ------w C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-04-17 06:44:44 . 2008-05-03 11:55:36 2560 ------w C:\WINDOWS\system32\xpsp4res.dll
2009-04-17 06:44:42 . 2009-03-27 06:58:38 1203922 ------w C:\WINDOWS\system32\dllcache\sysmain.sdb
2009-04-17 06:44:42 . 2008-04-21 12:08:15 215552 ------w C:\WINDOWS\system32\dllcache\wordpad.exe
2009-04-14 23:00:40 . 2009-04-17 19:56:49 0 d-----w C:\HiJackThis
2009-04-13 06:28:18 . 2008-11-06 07:03:27 0 d-----w C:\SDFix
2009-04-12 23:38:52 . 2009-04-12 23:38:52 0 d-----w C:\Documents and Settings\Keith Bourne\Application Data\Malwarebytes
2009-04-12 23:38:50 . 2009-04-06 20:32:46 15504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2009-04-12 23:38:47 . 2009-04-06 20:32:54 38496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-04-12 23:38:46 . 2009-04-12 23:38:46 0 d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-28 21:04:25 . 2009-03-28 21:05:13 0 d-----w C:\AFM Files
2009-03-28 20:36:09 . 2008-10-27 15:04:18 514384 ----a-w C:\WINDOWS\system32\XAudio2_3.dll
2009-03-28 20:36:09 . 2008-10-27 15:04:14 70992 ----a-w C:\WINDOWS\system32\XAPOFX1_2.dll
2009-03-28 20:36:09 . 2008-10-10 09:52:38 4379984 ----a-w C:\WINDOWS\system32\D3DX9_40.dll
2009-03-28 20:36:06 . 2008-10-27 15:04:16 23376 ----a-w C:\WINDOWS\system32\X3DAudio1_5.dll
2009-03-28 20:36:04 . 2008-07-30 11:20:56 68616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2009-03-28 20:36:04 . 2008-07-30 11:20:56 509448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2009-03-28 20:36:03 . 2008-07-10 16:00:58 3851784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2009-03-28 20:36:02 . 2008-05-30 19:17:00 25608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2009-03-28 20:35:42 . 2009-03-28 20:35:42 0 d-----w C:\WINDOWS\Logs
2009-03-28 02:26:21 . 2009-03-28 02:26:22 0 d-----w C:\Documents and Settings\All Users\Application Data\ATI
2009-03-28 02:26:21 . 2009-03-28 02:26:21 0 d-----w C:\Documents and Settings\Keith Bourne\Local Settings\Application Data\ATI
2009-03-28 02:26:21 . 2009-03-28 02:26:21 0 d-----w C:\Documents and Settings\Keith Bourne\Application Data\ATI
2009-03-28 02:25:26 . 2009-03-28 02:25:26 0 ----a-w C:\WINDOWS\ativpsrm.bin
2009-03-28 02:21:13 . 2009-01-05 14:12:00 93184 ----a-r C:\WINDOWS\system32\drivers\AtiHdmi.sys
2009-03-28 02:20:46 . 2008-12-01 19:35:00 593920 ------w C:\WINDOWS\system32\ati2sgag.exe
2009-03-28 02:20:43 . 2009-01-05 14:09:00 529 ----a-r C:\WINDOWS\system32\ATIODCLI.exe.manifest
2009-03-28 02:20:43 . 2009-01-05 14:09:00 527 ----a-r C:\WINDOWS\system32\ATIODE.exe.manifest
2009-03-28 02:20:43 . 2009-01-05 14:09:00 307200 ----a-r C:\WINDOWS\system32\atiiiexx.dll
2009-03-28 02:20:43 . 2009-01-05 14:09:00 15079 ----a-r C:\WINDOWS\atiogl.xml
2009-03-28 02:20:38 . 2009-01-05 14:08:00 7167 ----a-r C:\WINDOWS\system32\atifglpf.xml
2009-03-28 02:20:38 . 2009-01-05 14:08:00 425984 ----a-r C:\WINDOWS\system32\ATIDEMGX.dll
2009-03-28 02:20:37 . 2009-01-05 14:10:00 887724 ----a-r C:\WINDOWS\system32\ativva6x.dat
2009-03-28 02:20:36 . 2009-01-05 14:11:00 3107788 ----a-r C:\WINDOWS\system32\ativvaxx.dat
2009-03-28 02:20:36 . 2009-01-05 14:10:00 3107788 ----a-r C:\WINDOWS\system32\ativva5x.dat
2009-03-28 02:20:36 . 2009-01-05 14:09:00 180720 ----a-r C:\WINDOWS\system32\atiicdxx.dat
2009-03-28 02:11:52 . 2009-01-05 14:08:00 3452928 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2009-03-28 02:11:52 . 2009-01-05 14:08:00 3452928 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
2009-03-28 02:11:18 . 2009-03-28 02:11:20 10 ----a-w C:\WINDOWS\WININIT.INI
2009-03-25 04:05:51 . 2009-03-25 04:41:00 123392 --sha-w C:\Thumbs.db
2009-03-21 14:06:58 . 2009-03-21 14:06:58 989696 ------w C:\WINDOWS\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 20:20:01 . 2009-02-10 23:39:02 17327 ----a-w C:\aaw7boot.log
2009-04-12 23:38:51 . 2009-04-12 23:38:45 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-04-12 10:03:19 . 2009-04-12 10:03:19 9216 ----a-w C:\Program Files\n
2009-04-08 17:56:52 . 2009-02-10 23:33:52 15688 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2009-04-08 17:56:34 . 2009-02-10 19:56:56 64160 ----a-w C:\WINDOWS\system32\drivers\Lbd.sys
2009-04-07 23:37:07 . 2009-04-07 23:24:38 0 d-----w C:\Program Files\Tomb Raider - Legend
2009-04-04 03:37:23 . 2005-06-28 15:33:30 0 d-----w C:\Program Files\Java
2009-04-04 03:33:59 . 2005-06-28 15:34:25 0 d--h--w C:\Program Files\InstallShield Installation Information
2009-03-28 02:23:11 . 2009-03-28 02:20:15 0 d-----w C:\Program Files\ATI Technologies
2009-03-28 02:21:48 . 2009-03-28 02:21:48 0 d-----w C:\Program Files\Common Files\ATI Technologies
2009-03-27 06:01:43 . 2005-07-01 22:54:10 0 d-----w C:\Program Files\Spybot - Search & Destroy
2009-03-19 07:05:33 . 2008-12-26 00:19:48 0 d-----w C:\Documents and Settings\Keith Bourne\Application Data\Command & Conquer 3 Tiberium Wars
2009-03-09 10:19:08 . 2008-12-11 07:04:17 410984 ----a-w C:\WINDOWS\SYSTEM32\deploytk.dll
2009-03-06 14:22:18 . 2004-08-04 10:00:00 284160 ----a-w C:\WINDOWS\SYSTEM32\pdh.dll
2009-03-03 00:18:25 . 2006-05-10 05:23:03 826368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18:25 . 2004-08-04 10:00:00 826368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2009-02-28 04:54:41 . 2006-10-17 19:04:40 636072 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20:49 . 2007-05-10 21:53:44 13824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20:49 . 2006-10-27 08:44:04 70656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14:12 . 2006-10-27 08:42:54 161792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10:49 . 2004-08-04 10:00:00 729088 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2009-02-09 12:10:48 . 2004-08-04 10:00:00 714752 ----a-w C:\WINDOWS\SYSTEM32\ntdll.dll
2009-02-09 12:10:48 . 2004-08-04 10:00:00 617472 ----a-w C:\WINDOWS\SYSTEM32\advapi32.dll
2009-02-09 12:10:48 . 2004-08-04 10:00:00 401408 ----a-w C:\WINDOWS\SYSTEM32\rpcss.dll
2009-02-09 11:13:27 . 2008-10-15 03:05:40 1846784 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13:27 . 2004-08-04 10:00:00 1846784 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2009-02-08 00:02:58 . 2008-10-15 03:05:29 2066048 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11:05 . 2004-08-04 10:00:00 110592 ----a-w C:\WINDOWS\SYSTEM32\services.exe
2009-02-06 11:08:19 . 2008-10-15 03:05:30 2189056 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06:41 . 2008-10-15 03:05:30 2145280 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06:41 . 1980-01-01 05:00:00 2145280 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39:08 . 2004-08-04 10:00:00 35328 ----a-w C:\WINDOWS\SYSTEM32\sc.exe
2009-02-06 10:32:56 . 2008-10-15 03:05:29 2023936 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32:56 . 1980-01-01 05:00:00 2023936 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2009-02-03 19:59:07 . 2009-02-03 19:59:07 56832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59:07 . 2004-08-04 10:00:00 56832 ----a-w C:\WINDOWS\SYSTEM32\secur32.dll
2008-09-24 01:33:42 . 2005-07-01 19:12:19 78824 ----a-w C:\Documents and Settings\Keith Bourne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 07:02:05 . 2007-12-19 07:02:05 166440 ----a-w C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-08-25 22:57:58 . 2005-08-25 22:57:58 135 ----a-w C:\Documents and Settings\Keith Bourne\Local Settings\Application Data\fusioncache.dat
2004-11-05 03:2004-11-05 03:13 13:46 . C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2008-09-21 22:37:03 . 2008-09-21 22:37:14 32768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 15:43:36 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 06:00:00 90112]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 14:00:00 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 08:50:00 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 14:48:56 147514]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 08:51:27 172032]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 02:26:26 368706]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-08 17:55:57 515416]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 22:11:14 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-03-09 10:19:17 148888]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-28 110592]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-6-28 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gktjxk.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Keith Bourne^Start Menu^Programs^Startup^Indigo Prophecy Registration.lnk]
path=C:\Documents and Settings\Keith Bourne\Start Menu\Programs\Startup\Indigo Prophecy Registration.lnk
backup=C:\WINDOWS\pss\Indigo Prophecy Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kbourne2\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=

R3 gkmixern;gkmixern; [x]
S0 Lbd;Lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys [2009-04-08 17:56:34 64160]
S1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys [2007-11-27 02:00:00 59904]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-08 17:55:54 951632]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2009-01-05 14:12:00 93184]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe660fe6-98fc-11db-9fe1-001143ca9816}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:34:46 . 2009-04-08 17:56:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{343CED9E-A6BA-4B8E-B158-0330C005C5B2} - C:\WINDOWS\system32\pmnmmLFX.dll
BHO-{35CDB04B-5691-417A-84DA-8F39D529BD5B} - (no file)
BHO-{51579589-3F8F-4D47-B469-1E2C0EA9D9BB} - (no file)
BHO-{6ef417aa-15f2-415b-b52d-edbb8ddb711b} - C:\WINDOWS\system32\gktjxk.dll
Notify-nnnnOeCt - nnnnOeCt.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
.

#10 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 18 April 2009 - 04:32 PM

My new hijackthis log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:07 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {343CED9E-A6BA-4B8E-B158-0330C005C5B2} - C:\WINDOWS\system32\pmnmmLFX.dll (file missing)
O2 - BHO: (no name) - {35CDB04B-5691-417A-84DA-8F39D529BD5B} - (no file)
O2 - BHO: (no name) - {51579589-3F8F-4D47-B469-1E2C0EA9D9BB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6ef417aa-15f2-415b-b52d-edbb8ddb711b} - C:\WINDOWS\system32\gktjxk.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163907851503
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O20 - Winlogon Notify: nnnnOeCt - nnnnOeCt.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\matlab_sv13\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe

--
End of file - 7341 bytes

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 18 April 2009 - 09:21 PM

Please uninstall Lavasoft Ad-Aware and run ComboFix once again.. Post the log here after that :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 19 April 2009 - 09:43 PM

I uninstalled Ad-Adware and ran ComboFix. The ComboFix log is as follows:

ComboFix 09-04-20.02 - Keith Bourne 04/19/2009 20:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -5:00]
Running from: c:\documents and settings\Keith Bourne\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-18 17:52 . 2009-04-18 20:21 -------- d-----w C:\quarantine
2009-04-17 19:56 . 2009-04-17 19:56 -------- d-----w C:\rsit
2009-04-17 06:45 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 06:45 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 06:45 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 06:45 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 06:45 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 06:45 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 06:45 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 06:45 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 06:45 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 06:45 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 06:44 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 06:44 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 06:44 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:00 . 2009-04-18 21:07 -------- d-----w C:\HiJackThis
2009-04-13 06:28 . 2008-11-06 07:03 -------- d-----w C:\SDFix
2009-04-12 23:38 . 2009-04-12 23:38 -------- d-----w c:\documents and settings\Keith Bourne\Application Data\Malwarebytes
2009-04-12 23:38 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-12 23:38 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 23:38 . 2009-04-12 23:38 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-28 21:04 . 2009-03-28 21:05 -------- d-----w C:\AFM Files
2009-03-28 20:36 . 2008-10-27 15:04 514384 ----a-w c:\windows\system32\XAudio2_3.dll
2009-03-28 20:36 . 2008-10-27 15:04 70992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2009-03-28 20:36 . 2008-10-10 09:52 4379984 ----a-w c:\windows\system32\D3DX9_40.dll
2009-03-28 20:36 . 2008-10-27 15:04 23376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2009-03-28 20:36 . 2008-07-30 11:20 68616 ----a-w c:\windows\system32\XAPOFX1_1.dll
2009-03-28 20:36 . 2008-07-30 11:20 509448 ----a-w c:\windows\system32\XAudio2_2.dll
2009-03-28 20:36 . 2008-07-10 16:00 3851784 ----a-w c:\windows\system32\D3DX9_39.dll
2009-03-28 20:36 . 2008-05-30 19:17 25608 ----a-w c:\windows\system32\X3DAudio1_4.dll
2009-03-28 20:35 . 2009-03-28 20:35 -------- d-----w c:\windows\Logs
2009-03-28 02:26 . 2009-03-28 02:26 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-28 02:26 . 2009-03-28 02:26 -------- d-----w c:\documents and settings\Keith Bourne\Local Settings\Application Data\ATI
2009-03-28 02:26 . 2009-03-28 02:26 -------- d-----w c:\documents and settings\Keith Bourne\Application Data\ATI
2009-03-28 02:25 . 2009-03-28 02:25 0 ----a-w c:\windows\ativpsrm.bin
2009-03-28 02:21 . 2009-01-05 14:12 93184 ----a-r c:\windows\system32\drivers\AtiHdmi.sys
2009-03-28 02:20 . 2008-12-01 19:35 593920 ------w c:\windows\system32\ati2sgag.exe
2009-03-28 02:20 . 2009-01-05 14:09 529 ----a-r c:\windows\system32\ATIODCLI.exe.manifest
2009-03-28 02:20 . 2009-01-05 14:09 527 ----a-r c:\windows\system32\ATIODE.exe.manifest
2009-03-28 02:20 . 2009-01-05 14:09 307200 ----a-r c:\windows\system32\atiiiexx.dll
2009-03-28 02:20 . 2009-01-05 14:09 15079 ----a-r c:\windows\atiogl.xml
2009-03-28 02:20 . 2009-01-05 14:08 7167 ----a-r c:\windows\system32\atifglpf.xml
2009-03-28 02:20 . 2009-01-05 14:08 425984 ----a-r c:\windows\system32\ATIDEMGX.dll
2009-03-28 02:20 . 2009-01-05 14:10 887724 ----a-r c:\windows\system32\ativva6x.dat
2009-03-28 02:20 . 2009-01-05 14:11 3107788 ----a-r c:\windows\system32\ativvaxx.dat
2009-03-28 02:20 . 2009-01-05 14:10 3107788 ----a-r c:\windows\system32\ativva5x.dat
2009-03-28 02:20 . 2009-01-05 14:09 180720 ----a-r c:\windows\system32\atiicdxx.dat
2009-03-28 02:11 . 2009-01-05 14:08 3452928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-03-28 02:11 . 2009-01-05 14:08 3452928 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2009-03-28 02:11 . 2009-03-28 02:11 10 ----a-w c:\windows\WININIT.INI
2009-03-25 04:05 . 2009-03-25 04:41 123392 --sha-w C:\Thumbs.db
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 00:06 . 2005-07-01 22:50 -------- d-----w c:\documents and settings\Keith Bourne\Application Data\Lavasoft
2009-04-19 23:57 . 2009-02-10 23:39 18671 ----a-w C:\aaw7boot.log
2009-04-12 23:38 . 2009-04-12 23:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 10:03 . 2009-04-12 10:03 9216 ----a-w c:\program files\n
2009-04-07 23:37 . 2009-04-07 23:24 -------- d-----w c:\program files\Tomb Raider - Legend
2009-04-04 03:37 . 2005-06-28 15:33 -------- d-----w c:\program files\Java
2009-04-04 03:33 . 2005-06-28 15:34 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 02:23 . 2009-03-28 02:20 -------- d-----w c:\program files\ATI Technologies
2009-03-28 02:21 . 2009-03-28 02:21 -------- d-----w c:\program files\Common Files\ATI Technologies
2009-03-27 06:01 . 2005-07-01 22:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 07:05 . 2008-12-26 00:19 -------- d-----w c:\documents and settings\Keith Bourne\Application Data\Command & Conquer 3 Tiberium Wars
2009-03-09 10:19 . 2008-12-11 07:04 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 10:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2006-10-17 19:04 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-20 10:20 . 2007-05-10 21:53 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2006-10-27 08:44 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2006-10-27 08:42 161792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 03:05 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-15 03:05 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 03:05 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 03:05 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2008-10-15 03:05 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 05:00 2023936 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2008-09-24 01:33 . 2005-07-01 19:12 78824 ----a-w c:\documents and settings\Keith Bourne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 07:02 . 2007-12-19 07:02 166440 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2005-08-25 22:57 . 2005-08-25 22:57 135 ----a-w c:\documents and settings\Keith Bourne\Local Settings\Application Data\fusioncache.dat
2004-11-05 03:2004-11-05 03:13 13:46 . c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2008-09-21 22:37 . 2008-09-21 22:37 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008092120080922\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-28 110592]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-28 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gktjxk.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Keith Bourne^Start Menu^Programs^Startup^Indigo Prophecy Registration.lnk]
path=c:\documents and settings\Keith Bourne\Start Menu\Programs\Startup\Indigo Prophecy Registration.lnk
backup=c:\windows\pss\Indigo Prophecy Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\kbourne2\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\fear2\\FEAR2.exe"=

R0 Lbd;Lbd; [x]
R3 gkmixern;gkmixern; [x]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-11-27 59904]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-01-05 93184]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe660fe6-98fc-11db-9fe1-001143ca9816}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{343CED9E-A6BA-4B8E-B158-0330C005C5B2} - c:\windows\system32\pmnmmLFX.dll
BHO-{35CDB04B-5691-417A-84DA-8F39D529BD5B} - (no file)
BHO-{51579589-3F8F-4D47-B469-1E2C0EA9D9BB} - (no file)
BHO-{6ef417aa-15f2-415b-b52d-edbb8ddb711b} - c:\windows\system32\gktjxk.dll
Notify-nnnnOeCt - nnnnOeCt.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-636874406-2035665741-3533480687-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c1,07,8a,f8,08,b1,8d,fb,88,0a,b4,23,60,51,60,93,3c,65,8b,76,50,71,ee,
14,33,d9,59,42,00,14,22,c1,9b,f8,18,0b,f4,37,81,ef,07,b5,2a,5a,5c,b9,cc,5d,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-04-20 20:51
ComboFix-quarantined-files.txt 2009-04-20 01:51

Pre-Run: 30,557,298,688 bytes free
Post-Run: 30,541,541,376 bytes free

206 --- E O F --- 2009-04-17 14:08

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 19 April 2009 - 10:37 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
gkmixern

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 mumachine

mumachine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 20 April 2009 - 02:00 AM

I ran ComboFix.exe, which was renamed Combo-Fix.exe during download, using the CDScript.txt file, but there appears to have been a problem. ComboFix got to the point where it displays the message:

"Scanning for infected files ...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double"

At this point there was about two minutes of hard drive activity and then nothing else happened. I waited about 50 minutes, but no subsequent messages were created and no log file was generated.

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 20 April 2009 - 04:57 AM

I ran ComboFix.exe, which was renamed Combo-Fix.exe during download, using the CDScript.txt file, but there appears to have been a problem. ComboFix got to the point where it displays the message:

"Scanning for infected files ...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double"

At this point there was about two minutes of hard drive activity and then nothing else happened. I waited about 50 minutes, but no subsequent messages were created and no log file was generated.


CDScript? it should be CFScript.. Just run ComboFix normally again and post the log here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users