Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I don't know what to do...


  • This topic is locked This topic is locked
13 replies to this topic

#1 Poen

Poen

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 03 June 2009 - 12:46 AM

[EDIT] I wanted to add, my computer is not running slowly at all[/EDIT]
Hello ladies and gentlemen, thank you so much for taking my case.

Before I post my log, I wanted to thank FARBAR personally. I'll explain.

I am also having the redirection bug, but with a slight difference. You see, my Kapersky expired just last saturday, and sometime in between then I've become infected. The first time I click on a link from a search engine I get redirected sometimes 6-7 times before it lands me on, of course an inappropriate page.

Lurking BleepingComputer I tried downloading HijackThis and getting a log, and at first it installed, and when vista gave the "reinstall using reccomended settings" I did, and I got the BSOD for the first time ever. Physical memory dump and everything. I tried again, same problem

This was when I noticed Kapersky wasn't running at all. I tried opening the application and it immediately gave me the crash dialogue. Same thing when I tried to run Hijack this. So I couldn't run Hijack this or scan for viruses.

Panicked, I ran in safe mode, ran Nod32 (it found a few items), Cureit (Found a few items) and MsnVirRem, because I was lurking and thought that was the virus.

So I restarted my computer, tried to search and again, redirected. But I read FARBAR's post about RSIT, and it worked! Not only that but it ran Hijackthis for me! so, here is my RSIT log, complete with the Hijackthis log as well!

Thanks in advance guys, I'm really puzzled.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Pozi at 2009-06-02 22:23:48
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 116 GB (40%) free of 293 GB
Total RAM: 3070 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:54 PM, on 6/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Pozi\Desktop\RSIT.exe
C:\Program Files\trend micro\Pozi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Futuremark SystemInfo) - http://www.yougamers.com/systeminfo/FMSI.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09460B63-71E9-481E-AD50-9F72CA865A5D}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C11AE53-28A5-4AC7-BA9F-CD4109D7856C}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{09460B63-71E9-481E-AD50-9F72CA865A5D}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 11527 bytes

======Scheduled tasks folder======

C:\Windows\tasks\HPCeeScheduleForPozi.job
C:\Windows\tasks\User_Feed_Synchronization-{EBAC9960-F52A-434F-812C-CEAD23C7530A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
SnagIt Toolbar Loader - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll [2008-05-15 66888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [2008-11-11 62728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}]
HP Print Clips - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-08-31 177504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-05-15 817936]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll [2008-05-15 161096]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-01-18 1033512]
"SMSERIAL"=C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2007-01-17 634880]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-03-09 4390912]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2008-04-15 178712]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-12-19 468264]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-09-19 202032]
"OnScreenDisplay"=C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [2007-09-04 554320]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2008-06-02 80896]
"HP Health Check Scheduler"=c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-06-16 75008]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-09-13 480560]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-08 311296]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"UCam_Menu"=C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [2008-06-13 210216]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-01-30 13605408]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2009-01-30 92704]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-05-15 206088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-08-23 455968]
"HPAdvisor"=C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [2007-10-01 1783136]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]
"Steam"=c:\program files\steam\steam.exe [2009-05-22 1217784]
"AIM"=C:\Program Files\AIM\aim.exe [2006-08-01 67112]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\Windows\system32\klogon.dll [2008-11-11 218376]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1406e0f-422f-11de-ab2c-001e6852739d}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c194925b-468c-11dd-9adb-806e6f6e6963}]
shell\AutoRun\command - E:\FalloutLauncher.exe


======List of files/folders created in the last 1 months======

2009-06-02 22:23:48 ----D---- C:\rsit
2009-06-02 00:45:50 ----D---- C:\Program Files\Trend Micro
2009-06-02 00:32:32 ----SHD---- C:\Config.Msi
2009-05-31 13:18:59 ----D---- C:\RECYCLER
2009-05-31 12:50:03 ----D---- C:\Program Files\DOSBox-0.73
2009-05-31 12:15:11 ----D---- C:\Program Files\ArtMoney
2009-05-15 22:43:16 ----A---- C:\smap.tmp0
2009-05-15 14:47:39 ----A---- C:\Windows\Index.ini
2009-05-15 10:44:01 ----D---- C:\ProgramData\PMB Files
2009-05-15 10:43:39 ----D---- C:\Program Files\Pando Networks
2009-05-15 00:26:47 ----D---- C:\ProgramData\Kaspersky Lab Setup Files
2009-05-14 20:53:15 ----D---- C:\Program Files\Microsoft Games for Windows - LIVE
2009-05-11 10:27:17 ----D---- C:\ProgramData\WindowsSearch
2009-05-09 08:08:56 ----D---- C:\Users\Pozi\AppData\Roaming\dvdcss

======List of files/folders modified in the last 1 months======

2009-06-02 22:23:54 ----D---- C:\Windows\Prefetch
2009-06-02 22:23:51 ----D---- C:\Windows\Temp
2009-06-02 21:56:55 ----D---- C:\Users\Pozi\AppData\Roaming\Skype
2009-06-02 21:56:10 ----D---- C:\Program Files\Steam
2009-06-02 21:55:36 ----D---- C:\Users\Pozi\AppData\Roaming\skypePM
2009-06-02 21:54:04 ----D---- C:\Windows\Minidump
2009-06-02 21:53:59 ----D---- C:\Windows
2009-06-02 14:50:22 ----A---- C:\Windows\ntbtlog.txt
2009-06-02 00:58:46 ----D---- C:\Windows\system32\catroot
2009-06-02 00:45:54 ----D---- C:\Windows\system32\Tasks
2009-06-02 00:45:50 ----D---- C:\Program Files
2009-06-02 00:35:12 ----D---- C:\Windows\system32\drivers
2009-06-02 00:34:57 ----D---- C:\Windows\inf
2009-06-02 00:33:53 ----SHD---- C:\Windows\Installer
2009-06-02 00:33:12 ----D---- C:\Windows\System32
2009-06-01 16:23:20 ----D---- C:\Program Files\City of Heroes
2009-05-31 13:25:20 ----D---- C:\Users\Pozi\AppData\Roaming\uTorrent
2009-05-31 05:43:47 ----SHD---- C:\System Volume Information
2009-05-29 15:04:59 ----D---- C:\Program Files\Common Files\Steam
2009-05-29 15:04:28 ----D---- C:\ProgramData\Kaspersky Lab
2009-05-28 22:51:43 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-24 11:19:01 ----D---- C:\Windows\Tasks
2009-05-24 11:18:49 ----D---- C:\Users\Pozi\AppData\Roaming\Hewlett-Packard
2009-05-24 11:17:51 ----D---- C:\ProgramData\Hewlett-Packard
2009-05-15 12:15:46 ----D---- C:\AeriaGames
2009-05-15 10:44:01 ----HD---- C:\ProgramData
2009-05-15 00:33:27 ----D---- C:\Program Files\Kaspersky Lab
2009-05-15 00:28:52 ----D---- C:\Windows\system32\catroot2
2009-05-14 03:12:43 ----D---- C:\Windows\winsxs
2009-05-14 03:01:20 ----D---- C:\Program Files\Windows Mail
2009-05-13 11:27:58 ----D---- C:\Program Files\Mozilla Firefox
2009-05-13 02:23:10 ----SD---- C:\Windows\Downloaded Program Files
2009-05-07 00:16:29 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2008-07-21 121872]
R1 KLIF;Kaspersky Lab Driver; C:\Windows\system32\DRIVERS\klif.sys [2009-05-15 239120]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter; C:\Windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R2 STEC3;STEC3; \??\C:\Windows\system32\STEC3.sys [2008-12-01 2368]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-12 1747936]
R3 KLFLTDEV;Kaspersky Lab KLFltDev; C:\Windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver; C:\Windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-06-28 2222080]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-01-30 7544832]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-09-17 98816]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-20 88576]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2007-01-17 983936]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-01-18 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 awi8agjf;awi8agjf; C:\Windows\system32\drivers\awi8agjf.sys []
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 cpuz130;cpuz130; \??\C:\Users\Pozi\AppData\Local\Temp\cpuz130\cpuz_x32.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ENTECH;ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [2008-09-17 27672]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm60x32.sys [2006-11-02 429056]
S3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.24\RivaTuner32.sys [2009-02-25 9088]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-20 73088]
S3 USBIO;USBIO Driver (usbio.sys); C:\Windows\System32\Drivers\usbio.sys [2001-05-07 19805]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-20 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S3 XDva202;XDva202; \??\C:\Windows\system32\XDva202.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-06-16 94208]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe [2006-05-02 135168]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-04-15 354840]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-23 79136]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-01-30 203296]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-08-26 66872]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-12-19 271760]
R2 QPSched;QuickPlay Task Scheduler (QTS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-12-19 112016]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-01-09 272024]
S2 avp;Kaspersky Internet Security; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-05-15 206088]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-03-05 110592]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-05-22 322032]

-----------------EOF-----------------

and here is the info.txt file RSIT generated as well.

info.txt logfile of random's system information tool 1.06 2009-06-02 22:23:57

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->MsiExec /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
Action Replay Code Manager-->"C:\Action Replay Code Manager\unins000.exe"
ActiveCheck component for HP Active Support Library-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
ArtMoney PRO v7.29-->"C:\Program Files\ArtMoney\Uninstall\unins001.exe"
ArtMoney SE v7.30.3-->"C:\Program Files\ArtMoney\Uninstall\unins000.exe"
Battlefield 2142 Deluxe Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
Build Your Own Net Dream (remove only)-->C:\Program Files\BYOND\Uninst.exe
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CyberLink YouCam-->"C:\Program Files\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\Setup.exe" /z-uninstall
CyberLink YouCam-->"C:\Program Files\InstallShield Installation Information\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\Setup.exe" /z-uninstall
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Dream Of Mirror Online-->C:\AeriaGames\DOMO\Uninst.exe
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
FOCMapEditor-->MsiExec.exe /I{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}
Futuremark SystemInfo-->"C:\Program Files\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe" -runfromtemp -l0x0009 -removeonly
Gmask 1.70 English-->C:\Program Files\Gmask 1.70 English\uninstal.exe
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)-->C:\PROGRA~1\WinTV\UNSftMCE.EXE C:\PROGRA~1\WinTV\softMCE.LOG
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD0E2B92-3814-46F0-893B-4612EA010C7E}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9885A11E-60E4-417C-B58B-8B31B21C0B8A}\setup.exe" -l0x9 -removeonly
HP Help and Support-->MsiExec.exe /X{31216452-5540-4C96-B754-94890A63D5AB}
HP Photosmart Essential 2.5-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Product Detection-->MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Quick Launch Buttons 6.30 E1-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP QuickTouch 1.00 C4-->MsiExec.exe /I{7DC4A410-9986-4329-9E5D-687B2C42CA39}
HP Smart Web Printing-->msiexec /i{082F8ABA-84D5-4837-9DFC-F365D91A07D4}
HP Total Care Advisor-->MsiExec.exe /X{b02df929-29a7-4fd2-9a70-81a644b635f7}
HP Update-->MsiExec.exe /X{7059BDA7-E1DB-442C-B7A1-6144596720A4}
HP User Guides 0087-->MsiExec.exe /I{4D49757C-367A-4333-BDB3-68966162B14E}
HP Wireless Assistant-->MsiExec.exe /I{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}
HPAsset component for HP Active Support Library-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Intel® Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
La Tale-->C:\Games\OGP\La Tale\Uninstall.exe
LabelPrint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\setup.exe" -uninstall
ManyCam 2.4 (remove only)-->"C:\Program Files\ManyCam 2.4\uninstall.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard for Students and Teachers-->MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Microsoft Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Mids' Hero Designer-->MsiExec.exe /I{EB091AF7-A73B-4AD8-A40F-C0369BC9C269}
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co6a.dll,SM56UnInstaller
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
muvee autoProducer 6.1-->C:\Program Files\InstallShield Installation Information\{250E9609-E830-43EB-B379-DAB7546A2422}\muveesetup.exe -removeonly -runfromtemp
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Paint.NET v3.36-->MsiExec.exe /X{43602F34-1AA3-44FB-AEB2-D08C2C73743F}
Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe
Power2Go-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDirector-->"C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" /z-uninstall
Real Alternative 1.9.0-->"C:\Program Files\Real Alternative\unins000.exe"
Real Lives 2007-->C:\Program Files\Educational Simulations\Real Lives\UnInstall_21355.exe
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
RivaTuner v2.24-->"C:\Program Files\RivaTuner v2.24\uninstall.exe"
Shin Megami Tensei: Imagine Online-->C:\AeriaGames\MegaTen\Uninst.exe
Sid Meier's Civilization 4 - Beyond the Sword-->C:\Program Files\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4 - Warlords-->C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SnagIt 9-->MsiExec.exe /I{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}
Star Wars Empire at War Forces of Corruption-->C:\Program Files\InstallShield Installation Information\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}\Setup.exe -runfromtemp -l0x0009 -removeonly
Star Wars Empire at War-->C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe -runfromtemp -l0x0009 -removeonly
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2 Dedicated Server-->"C:\Program Files\Steam\steam.exe" steam://uninstall/310
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
Unreal Tournament 3-->"C:\Program Files\Steam\steam.exe" steam://uninstall/13210
VLC media player 0.9.9-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WeatherBug Gadget-->MsiExec.exe /I{209CDA54-D390-46A2-A97C-7BF61734418D}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Security center information======

AV: Kaspersky Internet Security (outdated)
FW: Kaspersky Internet Security
AS: Windows Defender
AS: Kaspersky Internet Security

======System event log======

Computer Name: T3h_H4rdw4r3
Event Code: 7001
Message: The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error:
The RPC server is unavailable.
Record Number: 61292
Source Name: Service Control Manager
Time Written: 20090603045443.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 7000
Message: The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Record Number: 61325
Source Name: Service Control Manager
Time Written: 20090603045443.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 7009
Message: A timeout was reached (30000 milliseconds) while waiting for the Kaspersky Internet Security service to connect.
Record Number: 61327
Source Name: Service Control Manager
Time Written: 20090603045443.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 7000
Message: The Kaspersky Internet Security service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 61328
Source Name: Service Control Manager
Time Written: 20090603045443.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
NVStrap
Record Number: 61358
Source Name: Service Control Manager
Time Written: 20090603045443.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: T3h_H4rdw4r3
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 11367
Source Name: Microsoft-Windows-WMI
Time Written: 20090602083209.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 11377
Source Name: Microsoft-Windows-Winlogon
Time Written: 20090602175250.000000-000
Event Type: Warning
User:

Computer Name: T3h_H4rdw4r3
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 11379
Source Name: Microsoft-Windows-WMI
Time Written: 20090602175256.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 11380
Source Name: Microsoft-Windows-EventSystem
Time Written: 20090602175300.000000-000
Event Type: Error
User:

Computer Name: T3h_H4rdw4r3
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 11403
Source Name: Microsoft-Windows-WMI
Time Written: 20090603045443.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: T3h_H4rdw4r3
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 19754
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090603052354.501138-000
Event Type: Audit Failure
User:

Computer Name: T3h_H4rdw4r3
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 19755
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090603052354.533138-000
Event Type: Audit Failure
User:

Computer Name: T3h_H4rdw4r3
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 19756
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090603052354.564138-000
Event Type: Audit Failure
User:

Computer Name: T3h_H4rdw4r3
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 19757
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090603052354.595138-000
Event Type: Audit Failure
User:

Computer Name: T3h_H4rdw4r3
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 19758
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090603052354.626138-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"PLATFORM"=MCD
"PCBRAND"=Pavilion
"OnlineServices"=Online Services
"USERPART"=E:

-----------------EOF-----------------


I'm anxiously awaiting your response fellows
I'm attaching them as /txt files if that is necessary

Attached Files

  • Attached File  info.txt   19.83KB   15 downloads
  • Attached File  log.txt   27.19KB   1 downloads

Edited by Poen, 03 June 2009 - 12:48 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 03 June 2009 - 07:18 AM

Hello Poen,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Your computer is still infected. The malware has a trojan DNS-chagere and a rootkit component.

When you perform the following step, in case the ComboFix did not run, rename ComboFix.exe you have downloaded to your desktop to poen.exe and run it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 03 June 2009 - 11:47 PM

Oh my god! I can't believe it i think this killed it, whatever it did.

I don't suppose you could tell me what it was that was infecting my computer, how I contracted it, and how this thing did better than both my antivirus and the other sofware i tried to use.... haha maybe that's asking too much. haha.

So am I clean, doc?


Btw, that's twice you've saved my bacon, farbar!

ComboFix 09-06-03.04 - Pozi 06/03/2009 21:12.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2291 [GMT -7:00]
Running from: c:\users\Pozi\Desktop\Poen.exe
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Internet Security *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1
Access is denied.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\drivers\gxvxcwoexmisxpvubpbjqousiewfqqmtcxisp.sys
c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
c:\windows\system32\gxvxcjerceynsqvwmtdripnwibkyspdcbxcpq.dll
c:\windows\system32\gxvxcpbvqhrolwxywsitvfyuprbacrekcefmo.dll
c:\windows\system32\KBL.LOG
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 04:22 . 2009-06-04 04:28 -------- d-----w- c:\users\Pozi\AppData\Local\temp
2009-06-03 05:23 . 2009-06-03 05:23 -------- d-----w- C:\rsit
2009-06-02 17:22 . 2009-06-02 17:23 -------- d-----w- c:\users\Pozi\DoctorWeb
2009-06-02 07:45 . 2009-06-03 05:23 -------- d-----w- c:\program files\Trend Micro
2009-05-31 19:54 . 2009-05-31 19:54 -------- d-----w- c:\users\Pozi\AppData\Local\DOSBox
2009-05-31 19:50 . 2009-05-31 19:50 -------- d-----w- c:\program files\DOSBox-0.73
2009-05-31 19:15 . 2009-05-31 20:33 -------- d-----w- c:\program files\ArtMoney
2009-05-29 06:07 . 2009-05-29 06:07 -------- d-----w- c:\users\Pozi\AppData\Local\MigWiz
2009-05-15 17:44 . 2009-05-16 15:16 -------- d-----w- c:\users\Pozi\AppData\Local\PMB Files
2009-05-15 17:44 . 2009-05-15 19:05 -------- d-----w- c:\programdata\PMB Files
2009-05-15 17:43 . 2009-05-15 17:43 -------- d-----w- c:\program files\Pando Networks
2009-05-15 17:02 . 2009-05-15 17:02 206088 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-05-15 17:02 . 2009-05-15 17:02 33808 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-05-15 17:02 . 2009-05-15 17:02 239120 ----a-w- c:\programdata\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\Vista\klif.sys
2009-05-15 07:47 . 2009-06-04 04:23 712736 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-05-15 07:26 . 2009-05-15 07:26 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-05-15 03:53 . 2009-05-15 03:54 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\programdata\WindowsSearch
2009-05-09 15:08 . 2009-05-10 03:55 -------- d-----w- c:\users\Pozi\AppData\Roaming\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 04:28 . 2008-09-10 21:39 -------- d-----w- c:\users\Pozi\AppData\Roaming\Skype
2009-06-04 04:28 . 2008-06-29 14:56 -------- d-----w- c:\programdata\Kaspersky Lab
2009-06-04 04:28 . 2008-10-29 03:36 -------- d-----w- c:\program files\Steam
2009-06-04 04:23 . 2009-05-15 07:47 3516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-04 04:23 . 2008-06-29 14:56 893432 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-04 04:23 . 2008-06-29 14:56 67664160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-04 03:56 . 2009-04-14 00:25 31776 ----a-w- c:\programdata\nvModes.dat
2009-06-04 01:52 . 2008-09-10 21:40 -------- d-----w- c:\users\Pozi\AppData\Roaming\skypePM
2009-06-02 15:59 . 2008-09-12 05:44 3054 ----a-w- c:\users\Pozi\AppData\Roaming\wklnhst.dat
2009-06-02 07:38 . 2008-06-30 11:31 7592 ----a-w- c:\users\Pozi\AppData\Local\d3d9caps.dat
2009-06-01 23:23 . 2008-06-30 20:04 -------- d-----w- c:\program files\City of Heroes
2009-05-31 20:25 . 2008-06-30 07:36 -------- d-----w- c:\users\Pozi\AppData\Roaming\uTorrent
2009-05-29 22:04 . 2008-10-29 03:36 -------- d-----w- c:\program files\Common Files\Steam
2009-05-24 18:18 . 2008-06-29 14:25 -------- d-----w- c:\users\Pozi\AppData\Roaming\Hewlett-Packard
2009-05-24 18:17 . 2008-02-18 06:55 -------- d-----w- c:\programdata\Hewlett-Packard
2009-05-20 12:44 . 2008-06-29 14:57 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-20 12:44 . 2008-06-29 14:57 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-15 07:33 . 2008-06-29 14:56 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-14 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-02 00:53 . 2009-05-02 00:53 -------- d-----w- c:\users\Pozi\AppData\Roaming\vlc
2009-05-01 20:27 . 2009-05-01 20:27 1269760 ----a-r- c:\windows\system32\CohUpdater.tmp
2009-05-01 20:27 . 2009-05-01 20:27 643072 ----a-w- c:\windows\system32\CohUpdater_UI_Win.dll
2009-04-28 06:41 . 2009-04-28 06:41 3262 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_701f5d03.exe
2009-04-28 06:41 . 2009-04-28 06:41 3262 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_4e45323b.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_7f967ff5.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_7a5a767d.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_6e5d1ad4.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_6b8930a.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_63cb6bfc.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_45091238.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_3b251e1f.exe
2009-04-28 06:41 . 2009-04-28 06:41 1078 ----a-r- c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_2213260d.exe
2009-04-28 05:59 . 2009-04-21 00:31 -------- d-----w- c:\program files\LucasArts
2009-04-28 05:59 . 2008-02-18 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-21 01:26 . 2009-04-21 01:26 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-04-15 08:52 . 2008-06-29 14:27 78224 ----a-w- c:\users\Pozi\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-15 07:30 . 2009-04-15 07:30 -------- d-----w- c:\program files\TRINITRON CG
2009-04-15 04:57 . 2009-04-15 04:56 -------- d-----w- c:\program files\ManyCam 2.4
2009-04-14 00:56 . 2009-04-14 00:56 -------- d-----w- c:\program files\RivaTuner v2.24
2009-04-14 00:31 . 2008-04-21 13:59 -------- d-----w- c:\programdata\NVIDIA
2009-04-14 00:25 . 2009-03-08 20:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-14 00:25 . 2009-03-08 20:22 -------- d-----w- c:\program files\AGEIA Technologies
2009-04-09 02:28 . 2008-07-02 07:08 27744 ----a-w- c:\users\Pozi\AppData\Roaming\nvModes.dat
2009-04-09 02:19 . 2009-04-09 02:19 -------- d--h--w- c:\programdata\.igpm
2009-04-08 23:15 . 2009-04-08 10:43 -------- d-----w- c:\users\Pozi\AppData\Roaming\ManyCam
2009-04-05 10:33 . 2008-02-18 07:04 -------- d-----w- c:\program files\Java
2009-03-31 22:35 . 2009-05-24 18:05 17160 ----a-w- c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-31 00:30 . 2009-05-24 18:05 17160 ----a-w- c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-17 03:38 . 2009-04-15 21:58 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 21:58 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-09 12:19 . 2008-12-01 11:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-07 01:12 . 2008-04-16 22:25 21256 ----a-w- c:\windows\Help\OEM\scripts\HPScript.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Steam"="c:\program files\steam\steam.exe" [2009-05-22 1217784]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 92704]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-05-15 206088]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-10 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\adialhk.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FD70B73F-1FD2-4086-887E-17DB85C7E509}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{50E85B62-97D2-4CB1-89E3-E9E26263F4C2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{750F4831-CFD0-48EB-966A-31F4D4A6793B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C43B89FB-672D-414B-AA5E-5A4CAB9028B5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD52968A-5E2C-477F-9D1A-B0F2E2DF3423}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{BE633EB7-A30E-4995-9363-7D4D4E18BC94}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D5FBDF57-0801-4DB4-A9A7-89D36E454DC9}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A91C4F27-BD6C-4674-8847-A68274199BD1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{979E409E-BDBF-4968-BBB6-C0E0E2C86B9A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{81D8D5B2-4F1A-43D0-8D06-27A98C00A3F5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4D9BA8BA-CCA5-404E-AEA3-E31A8ECB2323}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{835C35B4-3898-4E1F-9EC3-FDE00CC67E54}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{166A1F14-07D7-4085-9D42-C49A848BCC68}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{4B4622ED-EA35-42C3-AE02-AEB4412C47C0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{408A6ED3-D6D7-4229-A3CB-344FFFC4836A}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BE097328-DFB4-4CB4-9968-0EF8EDBD9281}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{DE6AC1AC-A256-460A-B7A7-90446E0FD877}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B083F6E8-612D-4401-8CD1-B1DDB7E78C52}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{66A7BB68-67C4-44F3-A997-4180701EE276}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{06047ADB-9390-4DD5-8A96-E3D163A62404}"= UDP:c:\2142\BF2142.exe:Battlefield 2142
"{18EEC185-8AAF-4701-B9A3-B6F650509DD1}"= TCP:c:\2142\BF2142.exe:Battlefield 2142
"{2D72B16F-AB14-49F7-91A7-2C177751A1E4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BFB3A247-BFEE-4A1F-9F92-B3CA525C29F6}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{02875DFB-C994-4BD3-AA12-461932DA0A7A}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{24317215-D42F-4300-ACE3-B9B25500D22A}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{AA7FB2A6-F228-42C7-BBAE-ABD392F2AD6F}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{6405DE7D-C62B-4FCE-9664-6A127921BFE1}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{8066F9C8-E667-43C7-856B-3FDBCBF6DB86}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{2977FA28-3B9B-477A-BBC1-6B79C6C7CAF1}"= UDP:c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{803EF5EB-DDAA-481C-9ED9-ECEA70D2CB67}"= TCP:c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{0BA07A2D-BA7B-4CC8-A212-F69D972FD1B7}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{C0DC5B3B-2980-4559-92C6-6B8A5A72439A}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{5D20FD65-A576-4A9A-BF0C-DB16973F9663}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{EA1A8A48-0D0A-4032-BCEA-98914D3FCA55}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{97681DDA-F2E0-42ED-A8E3-88812478F455}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{8A7B03E5-164F-41CB-84BD-A4B8954F6FEA}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{151DCD12-050F-4C15-81ED-C00357B12771}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{3EA2B2CB-1071-4FEB-8137-2CF9F19F5AB4}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{8CFE2BBF-EABC-4237-A486-D0503CFA9F04}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{035B07CB-7C98-4E94-8ECC-314FB3E1F9E3}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{C3F6FCDD-FCD3-457A-A621-61D3531F0F0D}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{5BD3BF4C-351D-4BB8-A07F-2FBDE91EAF36}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{F46B356E-FA93-4FF2-9C1F-3FD36848D89B}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{8C10D9DC-063F-483B-9E73-A4D6BB2434B6}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{36271F67-3A85-465E-9601-FE2D239231EA}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:Left 4 Dead Dedicated Server
"{4A01BD45-6AD8-4E51-80DF-AD3EE073468D}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:Left 4 Dead Dedicated Server
"{B2AF27FA-526D-484A-B9A1-364A2FDD3AB4}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{2849DE4D-E91D-415C-A014-8687EF525ECF}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{642D76CE-EDCB-426C-AD8D-195D26C72E65}"= UDP:c:\program files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars™: Empire at War™
"{80C80D72-C530-4325-8C8E-FF153BBB0A6C}"= TCP:c:\program files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars™: Empire at War™
"{64014FF2-D800-4633-9452-C9621F34E4E8}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{7A0F4B75-D07F-4726-A91C-76BB4C87421D}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"TCP Query User{098BD030-01A8-48C8-8DB8-C72B8F95854E}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4E2436B2-34FD-4052-B52A-E5F8CC128267}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{169EBB1B-11C8-4744-BE12-0EFE02BD24EC}c:\\program files\\pando networks\\media booster\\pmb.exe"= UDP:c:\program files\pando networks\media booster\pmb.exe:Pando Media Booster
"UDP Query User{E987D665-BBBC-4E83-8BAD-A18D8C9C6737}c:\\program files\\pando networks\\media booster\\pmb.exe"= TCP:c:\program files\pando networks\media booster\pmb.exe:Pando Media Booster
"{76D507C4-19AC-4F61-8760-1B86404DE6FD}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{3546C46B-61A5-4866-8AB7-D4AFF09471FE}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"TCP Query User{4E9E7134-A2CB-4294-BFDF-7FDF1C515756}c:\\program files\\steam\\steamapps\\illchy\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\illchy\team fortress 2\hl2.exe:hl2
"UDP Query User{6A4DE951-E247-43F9-83A3-683ACC038038}c:\\program files\\steam\\steamapps\\illchy\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\illchy\team fortress 2\hl2.exe:hl2
"TCP Query User{7995FC1F-6C39-4F31-BB32-ECE5093C08C1}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{270E2A2A-67F1-4931-9FD9-1AD577CC3815}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{23151F5A-E597-4199-B0B4-8574A2083E4F}c:\\users\\pozi\\desktop\\gang garrison 2\\gang garrison 2.exe"= UDP:c:\users\pozi\desktop\gang garrison 2\gang garrison 2.exe:gang garrison 2.exe
"UDP Query User{DCD5FFBD-56FE-4F84-A66E-62E13B0933DA}c:\\users\\pozi\\desktop\\gang garrison 2\\gang garrison 2.exe"= TCP:c:\users\pozi\desktop\gang garrison 2\gang garrison 2.exe:gang garrison 2.exe
"{3AD5AE67-BE0D-4324-9C9F-8AC316CDB25C}"= UDP:c:\program files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"{9F0B0345-E86B-410C-A97F-C3DD8BFF3B25}"= TCP:c:\program files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"TCP Query User{2A2DED04-9793-4559-97A1-511EC8EA79A2}c:\\program files\\lucasarts\\star wars empire at war forces of corruption\\swfoc.exe"= UDP:c:\program files\lucasarts\star wars empire at war forces of corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"UDP Query User{3D726099-2E86-4DCF-9DE1-D286913BE526}c:\\program files\\lucasarts\\star wars empire at war forces of corruption\\swfoc.exe"= TCP:c:\program files\lucasarts\star wars empire at war forces of corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [1/29/2008 5:29 PM 32784]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [7/9/2008 5:28 PM 20496]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\System32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\System32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
S0 NVStrap;NVStrap;c:\windows\System32\drivers\NVStrap.sys [4/13/2009 6:04 PM 4224]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\HPCeeScheduleForPozi.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-02-18 19:58]

2009-06-03 c:\windows\Tasks\User_Feed_Synchronization-{EBAC9960-F52A-434F-812C-CEAD23C7530A}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pozi\AppData\Roaming\Mozilla\Firefox\Profiles\ddyxbokn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 21:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2405079018-301773705-2127879220-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{931D4B43-FBFD-4941-DE24-0F5BE8E45B3B}*]
"hallckciimhlnoph"=hex:63,62,63,65,63,6f,6e,6e,62,69,64,67,69,64,62,61,67,6b,
68,6a,63,6d,65,64,68,6b,6b,6d,68,6f,69,6b,66,70,70,6c,63,66,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-06-04 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 04:34

Pre-Run: 123,244,957,696 bytes free
Post-Run: 125,817,024,512 bytes free

305 --- E O F --- 2009-05-28 22:23

Attached Files

  • Attached File  log.txt   27.07KB   7 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 04 June 2009 - 05:18 AM

Oh my god! I can't believe it i think this killed it, whatever it did.

I don't suppose you could tell me what it was that was infecting my computer, how I contracted it, and how this thing did better than both my antivirus and the other sofware i tried to use.... haha maybe that's asking too much. haha.

As I mentioned it is a malware (I think a Zlob variant) with a rootkit and a trojan DNS-Changer component. I can't say how you contracted it. Downloading something via p2p, going to a bad site, clicking on a bad link, downloading a video , etc.

So am I clean, doc?

Still a little work to do.

++++++++++++++++++

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty p2p (uTorrent) download folder. It might contain infected files.

  • Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/index.php?showtopic=231306&hl
    
    Collect::
    c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_4e45323b.exe
    c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}\_3b251e1f.exe
    Folder::
    c:\users\Pozi\AppData\Roaming\Microsoft\Installer\{1E869B1A-FE19-4519-B9AE-EF383A7C00E4}
    RegNull::
    [HKEY_USERS\S-1-5-21-2405079018-301773705-2127879220-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{931D4B43-FBFD-4941-DE24-0F5BE8E45B3B}*]
    RegLockDel::
    [HKEY_USERS\S-1-5-21-2405079018-301773705-2127879220-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{931D4B43-FBFD-4941-DE24-0F5BE8E45B3B}]
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}=-

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply. No need to attach the log.

    **Important Note**

    When CF finishes running, the ComboFix log might open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me also how is your computer running.


#5 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 June 2009 - 02:09 PM

I guess I'm still in trouble. I also had this problem before, but I forgot to mention it because i was so glad everything looked fine.

When I ran combofix the first time, it said Kapersky was running, but it was not in the tray, it didn't show up in process or services in the task manager, and when I tried to run it it crashed.
Needless to say I ran combfix with it "on". I hope that doesn't change everything.

When I regained control after combofix ran, I got to open Kapersky, and needless to say I renewed the perscription, updated and ran a full scan. While it was scanning I experienced a lot of slowdown, which is NOT really normal, but then again, It didn't bother me much honestly.

It found a few things and then I decided to see what you wanted me to do. I deleted my downloads folder like you recommended. I installed java as well, got the /exe from the websie, and during the install it said something about Kapersky, something like it had to rollback changes or something, then the completed bar went backwards (>.> ) and then it finished up the install.

I reinstaled java, and as we speak I'm trying to run combofix. It gives me the same warning that Kapersky is running. Now, it shows up in services and processes, but it doesn't show up in the tray, I can't open it (Although it does NOT give me a crash notice this time, it just gives no dialogue whatsoever) but I can't end the process because if I try another one pops up. So I'm running Combofix with Kapersky running again. I hope that doesn't hurt things.

Also, I don't think Kapersky failing to open is a virus, although you're the expert....I think I just messed up my java install somehow, cause kapersky used java for it's stupid animations and stuff.

I'll edit in my results, but combofix wants me to restart. Just wanted your thoughts on that, farbar.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 04 June 2009 - 02:27 PM

Thanks for mentioning this.
You have already run ComboFix, let it reboot and then we see.

#7 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 June 2009 - 04:59 PM

I fixed it, I installed java wrong. I reinstalled java, then uninstalled kapersky THEN ran combofix.

So this is the log without Kapersky interference.

ComboFix 09-06-03.04 - Pozi 06/04/2009 13:42.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2116 [GMT -7:00]
Running from: c:\users\Pozi\Desktop\Computer Saving Stuff\Poen.exe
Command switches used :: c:\users\Pozi\Desktop\Computer Saving Stuff\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 20:47 . 2009-06-04 20:53 -------- d-----w- c:\users\Pozi\AppData\Local\temp
2009-06-04 20:03 . 2009-06-04 20:03 -------- d-----w- c:\program files\Java
2009-06-04 18:39 . 2009-06-04 18:49 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-04 06:33 . 2009-06-04 06:33 -------- d-----w- c:\users\Pozi\AppData\Local\Yahoo
2009-06-04 06:28 . 2009-05-27 02:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-06-04 06:18 . 2009-06-04 06:18 -------- d-----w- c:\users\Pozi\Tracing
2009-06-03 05:23 . 2009-06-03 05:23 -------- d-----w- C:\rsit
2009-06-02 17:22 . 2009-06-02 17:23 -------- d-----w- c:\users\Pozi\DoctorWeb
2009-06-02 07:45 . 2009-06-03 05:23 -------- d-----w- c:\program files\Trend Micro
2009-05-31 19:54 . 2009-05-31 19:54 -------- d-----w- c:\users\Pozi\AppData\Local\DOSBox
2009-05-31 19:50 . 2009-06-04 19:56 -------- d-----w- c:\program files\DOSBox-0.73
2009-05-29 06:07 . 2009-05-29 06:07 -------- d-----w- c:\users\Pozi\AppData\Local\MigWiz
2009-05-15 17:44 . 2009-05-16 15:16 -------- d-----w- c:\users\Pozi\AppData\Local\PMB Files
2009-05-15 17:44 . 2009-05-15 19:05 -------- d-----w- c:\programdata\PMB Files
2009-05-15 17:43 . 2009-05-15 17:43 -------- d-----w- c:\program files\Pando Networks
2009-05-15 07:26 . 2009-05-15 07:26 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-05-15 03:53 . 2009-05-15 03:54 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-05-11 17:27 . 2009-05-11 17:27 -------- d-----w- c:\programdata\WindowsSearch
2009-05-09 15:08 . 2009-05-10 03:55 -------- d-----w- c:\users\Pozi\AppData\Roaming\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 20:53 . 2008-10-29 03:36 -------- d-----w- c:\program files\Steam
2009-06-04 20:38 . 2008-09-10 21:39 -------- d-----w- c:\users\Pozi\AppData\Roaming\Skype
2009-06-04 20:36 . 2009-04-14 00:25 31776 ----a-w- c:\programdata\nvModes.dat
2009-06-04 20:33 . 2008-06-29 14:56 -------- d-----w- c:\programdata\Kaspersky Lab
2009-06-04 20:28 . 2008-06-30 07:36 -------- d-----w- c:\users\Pozi\AppData\Roaming\uTorrent
2009-06-04 20:03 . 2008-12-01 11:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-04 19:35 . 2009-01-03 02:52 -------- d-----w- c:\program files\BYOND
2009-06-04 19:29 . 2008-02-18 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-04 15:04 . 2008-09-10 21:40 -------- d-----w- c:\users\Pozi\AppData\Roaming\skypePM
2009-06-04 12:13 . 2008-06-30 05:55 -------- d-----w- c:\users\Pozi\AppData\Roaming\Yahoo!
2009-06-04 06:32 . 2008-06-29 14:24 -------- d-----w- c:\program files\Yahoo!
2009-06-04 06:32 . 2008-06-30 05:56 -------- d-----w- c:\programdata\Yahoo!
2009-06-04 06:32 . 2008-06-30 18:17 -------- d-----w- c:\programdata\Yahoo! Companion
2009-06-02 15:59 . 2008-09-12 05:44 3054 ----a-w- c:\users\Pozi\AppData\Roaming\wklnhst.dat
2009-06-02 07:38 . 2008-06-30 11:31 7592 ----a-w- c:\users\Pozi\AppData\Local\d3d9caps.dat
2009-06-01 23:23 . 2008-06-30 20:04 -------- d-----w- c:\program files\City of Heroes
2009-05-29 22:04 . 2008-10-29 03:36 -------- d-----w- c:\program files\Common Files\Steam
2009-05-24 18:18 . 2008-06-29 14:25 -------- d-----w- c:\users\Pozi\AppData\Roaming\Hewlett-Packard
2009-05-24 18:17 . 2008-02-18 06:55 -------- d-----w- c:\programdata\Hewlett-Packard
2009-05-14 10:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-02 00:53 . 2009-05-02 00:53 -------- d-----w- c:\users\Pozi\AppData\Roaming\vlc
2009-05-01 20:27 . 2009-05-01 20:27 1269760 ----a-r- c:\windows\system32\CohUpdater.tmp
2009-05-01 20:27 . 2009-05-01 20:27 643072 ----a-w- c:\windows\system32\CohUpdater_UI_Win.dll
2009-04-28 05:59 . 2009-04-21 00:31 -------- d-----w- c:\program files\LucasArts
2009-04-22 07:20 . 2009-04-22 07:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 07:20 . 2009-04-22 07:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-15 08:52 . 2008-06-29 14:27 78224 ----a-w- c:\users\Pozi\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-15 07:30 . 2009-04-15 07:30 -------- d-----w- c:\program files\TRINITRON CG
2009-04-15 04:57 . 2009-04-15 04:56 -------- d-----w- c:\program files\ManyCam 2.4
2009-04-14 00:31 . 2008-04-21 13:59 -------- d-----w- c:\programdata\NVIDIA
2009-04-14 00:25 . 2009-03-08 20:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-14 00:25 . 2009-03-08 20:22 -------- d-----w- c:\program files\AGEIA Technologies
2009-04-09 02:28 . 2008-07-02 07:08 27744 ----a-w- c:\users\Pozi\AppData\Roaming\nvModes.dat
2009-04-09 02:19 . 2009-04-09 02:19 -------- d--h--w- c:\programdata\.igpm
2009-04-08 23:15 . 2009-04-08 10:43 -------- d-----w- c:\users\Pozi\AppData\Roaming\ManyCam
2009-03-31 22:35 . 2009-05-24 18:05 17160 ----a-w- c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-31 00:30 . 2009-05-24 18:05 17160 ----a-w- c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-17 03:38 . 2009-04-15 21:58 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 21:58 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-07 01:12 . 2008-04-16 22:25 21256 ----a-w- c:\windows\Help\OEM\scripts\HPScript.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-04_04.26.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-06-04 20:37 49374 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-04 20:37 79490 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-30 10:15 . 2009-06-04 04:25 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-30 10:15 . 2009-06-04 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-30 10:15 . 2009-06-04 04:25 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 10:15 . 2009-06-04 19:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-30 10:15 . 2009-06-04 04:25 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-30 10:15 . 2009-06-04 19:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-06-04 12:10 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-06-02 07:34 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-06-02 07:34 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-06-04 12:10 51200 c:\windows\inf\infpub.dat
+ 2008-07-05 10:28 . 2009-06-04 12:11 4844 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-07-05 10:28 . 2009-05-29 11:32 4844 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-06-29 14:19 . 2009-06-04 20:37 9016 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2405079018-301773705-2127879220-1000_UserData.bin
- 2009-06-04 04:25 . 2009-06-04 04:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-04 20:51 . 2009-06-04 20:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-04 04:25 . 2009-06-04 04:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-04 20:51 . 2009-06-04 20:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-05 04:01 . 2009-06-04 18:43 7952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-06-30 05:29 . 2009-06-04 18:35 382358 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-04-05 10:33 . 2009-03-09 12:19 148888 c:\windows\System32\javaws.exe
+ 2009-06-04 20:04 . 2009-06-04 20:03 148888 c:\windows\System32\javaws.exe
+ 2009-06-04 20:04 . 2009-06-04 20:03 144792 c:\windows\System32\javaw.exe
- 2009-04-05 10:33 . 2009-03-09 12:19 144792 c:\windows\System32\javaw.exe
+ 2009-06-04 20:04 . 2009-06-04 20:03 144792 c:\windows\System32\java.exe
- 2009-04-05 10:33 . 2009-03-09 12:19 144792 c:\windows\System32\java.exe
+ 2006-11-02 10:25 . 2009-06-04 12:10 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-06-02 07:34 143360 c:\windows\inf\infstrng.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-02 1783136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Steam"="c:\program files\steam\steam.exe" [2009-05-22 1217784]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 92704]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-04 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-10 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FD70B73F-1FD2-4086-887E-17DB85C7E509}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{50E85B62-97D2-4CB1-89E3-E9E26263F4C2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{750F4831-CFD0-48EB-966A-31F4D4A6793B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C43B89FB-672D-414B-AA5E-5A4CAB9028B5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CD52968A-5E2C-477F-9D1A-B0F2E2DF3423}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{BE633EB7-A30E-4995-9363-7D4D4E18BC94}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D5FBDF57-0801-4DB4-A9A7-89D36E454DC9}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A91C4F27-BD6C-4674-8847-A68274199BD1}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{979E409E-BDBF-4968-BBB6-C0E0E2C86B9A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{81D8D5B2-4F1A-43D0-8D06-27A98C00A3F5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4D9BA8BA-CCA5-404E-AEA3-E31A8ECB2323}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{835C35B4-3898-4E1F-9EC3-FDE00CC67E54}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{166A1F14-07D7-4085-9D42-C49A848BCC68}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{4B4622ED-EA35-42C3-AE02-AEB4412C47C0}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{408A6ED3-D6D7-4229-A3CB-344FFFC4836A}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BE097328-DFB4-4CB4-9968-0EF8EDBD9281}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{DE6AC1AC-A256-460A-B7A7-90446E0FD877}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B083F6E8-612D-4401-8CD1-B1DDB7E78C52}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{66A7BB68-67C4-44F3-A997-4180701EE276}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{06047ADB-9390-4DD5-8A96-E3D163A62404}"= UDP:c:\2142\BF2142.exe:Battlefield 2142
"{18EEC185-8AAF-4701-B9A3-B6F650509DD1}"= TCP:c:\2142\BF2142.exe:Battlefield 2142
"{2D72B16F-AB14-49F7-91A7-2C177751A1E4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BFB3A247-BFEE-4A1F-9F92-B3CA525C29F6}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{02875DFB-C994-4BD3-AA12-461932DA0A7A}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{24317215-D42F-4300-ACE3-B9B25500D22A}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{AA7FB2A6-F228-42C7-BBAE-ABD392F2AD6F}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{6405DE7D-C62B-4FCE-9664-6A127921BFE1}"= UDP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{8066F9C8-E667-43C7-856B-3FDBCBF6DB86}"= TCP:c:\program files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{2977FA28-3B9B-477A-BBC1-6B79C6C7CAF1}"= UDP:c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{803EF5EB-DDAA-481C-9ED9-ECEA70D2CB67}"= TCP:c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme
"{0BA07A2D-BA7B-4CC8-A212-F69D972FD1B7}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{C0DC5B3B-2980-4559-92C6-6B8A5A72439A}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"{5D20FD65-A576-4A9A-BF0C-DB16973F9663}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{EA1A8A48-0D0A-4032-BCEA-98914D3FCA55}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{97681DDA-F2E0-42ED-A8E3-88812478F455}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{8A7B03E5-164F-41CB-84BD-A4B8954F6FEA}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{151DCD12-050F-4C15-81ED-C00357B12771}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{3EA2B2CB-1071-4FEB-8137-2CF9F19F5AB4}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{8CFE2BBF-EABC-4237-A486-D0503CFA9F04}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{035B07CB-7C98-4E94-8ECC-314FB3E1F9E3}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{C3F6FCDD-FCD3-457A-A621-61D3531F0F0D}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{5BD3BF4C-351D-4BB8-A07F-2FBDE91EAF36}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{F46B356E-FA93-4FF2-9C1F-3FD36848D89B}"= UDP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{8C10D9DC-063F-483B-9E73-A4D6BB2434B6}"= TCP:c:\program files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{36271F67-3A85-465E-9601-FE2D239231EA}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:Left 4 Dead Dedicated Server
"{4A01BD45-6AD8-4E51-80DF-AD3EE073468D}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:Left 4 Dead Dedicated Server
"{B2AF27FA-526D-484A-B9A1-364A2FDD3AB4}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{2849DE4D-E91D-415C-A014-8687EF525ECF}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{642D76CE-EDCB-426C-AD8D-195D26C72E65}"= UDP:c:\program files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars™: Empire at War™
"{80C80D72-C530-4325-8C8E-FF153BBB0A6C}"= TCP:c:\program files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:Star Wars™: Empire at War™
"{64014FF2-D800-4633-9452-C9621F34E4E8}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{7A0F4B75-D07F-4726-A91C-76BB4C87421D}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"TCP Query User{098BD030-01A8-48C8-8DB8-C72B8F95854E}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4E2436B2-34FD-4052-B52A-E5F8CC128267}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{169EBB1B-11C8-4744-BE12-0EFE02BD24EC}c:\\program files\\pando networks\\media booster\\pmb.exe"= UDP:c:\program files\pando networks\media booster\pmb.exe:Pando Media Booster
"UDP Query User{E987D665-BBBC-4E83-8BAD-A18D8C9C6737}c:\\program files\\pando networks\\media booster\\pmb.exe"= TCP:c:\program files\pando networks\media booster\pmb.exe:Pando Media Booster
"{76D507C4-19AC-4F61-8760-1B86404DE6FD}"= UDP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{3546C46B-61A5-4866-8AB7-D4AFF09471FE}"= TCP:c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:Left 4 Dead
"TCP Query User{4E9E7134-A2CB-4294-BFDF-7FDF1C515756}c:\\program files\\steam\\steamapps\\illchy\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\illchy\team fortress 2\hl2.exe:hl2
"UDP Query User{6A4DE951-E247-43F9-83A3-683ACC038038}c:\\program files\\steam\\steamapps\\illchy\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\illchy\team fortress 2\hl2.exe:hl2
"TCP Query User{7995FC1F-6C39-4F31-BB32-ECE5093C08C1}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{270E2A2A-67F1-4931-9FD9-1AD577CC3815}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{23151F5A-E597-4199-B0B4-8574A2083E4F}c:\\users\\pozi\\desktop\\gang garrison 2\\gang garrison 2.exe"= UDP:c:\users\pozi\desktop\gang garrison 2\gang garrison 2.exe:gang garrison 2.exe
"UDP Query User{DCD5FFBD-56FE-4F84-A66E-62E13B0933DA}c:\\users\\pozi\\desktop\\gang garrison 2\\gang garrison 2.exe"= TCP:c:\users\pozi\desktop\gang garrison 2\gang garrison 2.exe:gang garrison 2.exe
"{3AD5AE67-BE0D-4324-9C9F-8AC316CDB25C}"= UDP:c:\program files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"{9F0B0345-E86B-410C-A97F-C3DD8BFF3B25}"= TCP:c:\program files\LucasArts\Star Wars Empire at War Forces of Corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"TCP Query User{2A2DED04-9793-4559-97A1-511EC8EA79A2}c:\\program files\\lucasarts\\star wars empire at war forces of corruption\\swfoc.exe"= UDP:c:\program files\lucasarts\star wars empire at war forces of corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™
"UDP Query User{3D726099-2E86-4DCF-9DE1-D286913BE526}c:\\program files\\lucasarts\\star wars empire at war forces of corruption\\swfoc.exe"= TCP:c:\program files\lucasarts\star wars empire at war forces of corruption\swfoc.exe:Star Wars®: Empire at War™: Forces of Corruption™

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\System32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
S0 NVStrap;NVStrap;c:\windows\System32\drivers\NVStrap.sys [4/13/2009 6:04 PM 4224]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\HPCeeScheduleForPozi.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-02-18 19:58]

2009-06-04 c:\windows\Tasks\User_Feed_Synchronization-{EBAC9960-F52A-434F-812C-CEAD23C7530A}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Pozi\AppData\Roaming\Mozilla\Firefox\Profiles\ddyxbokn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 13:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1804)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-06-04 13:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 20:59
ComboFix2.txt 2009-06-04 04:34

Pre-Run: 115,255,021,568 bytes free
Post-Run: 115,099,607,040 bytes free

303 --- E O F --- 2009-05-28 22:23

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 04 June 2009 - 05:26 PM

Very well done Poen. :thumbup2:

How is your computer running?

#9 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 June 2009 - 06:50 PM

It's hard to believe my computer was infected a day ago. It's running perfectly.

Thank you very much farbar, now two things pop into my head

1st: aside from nod32, hijackthis, my kapersky, drweb, and combofix, are there any other things I should kjeep handy to protect myself and/or arm myself against any further problems?

2nd: I feel the need to thank you for helping me. Seeing as how my usual approach of buy you a beer sometime won't really work out, is there any way I can contribute to your task force of malware fighting awesomeness? Perhaps learn how to help people myself?

How did you get started with this stuff? :D

Anyways really, thanks.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 04 June 2009 - 07:23 PM

Poen,

You are very welcome.

Can you hold on a bit. I'll answer your questions the next and final post. I wanted to run this good antimalware program to make sure the leftovers are taken care of. We don't see all the registry items on the logs. You can also keep it for the future.


Please download Malwarebytes' Anti-Malware from MajorGeeks
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#11 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 05 June 2009 - 02:11 AM

I downloaded from Cnet, because some reason the other website wouldn't give me the download prompt.

here it is

Malwarebytes' Anti-Malware 1.37
Database version: 2232
Windows 6.0.6001 Service Pack 1

6/5/2009 12:06:47 AM
mbam-log-2009-06-05 (00-06-47).txt

Scan type: Quick Scan
Objects scanned: 74581
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 05 June 2009 - 05:05 AM

aside from nod32, hijackthis, my kapersky, drweb, and combofix, are there any other things I should kjeep handy to protect myself and/or arm myself against any further problems?


So to make a long story short: Either NON32 or Kaspersky, no ComboFix and no DrWeb. Yes Malwarebytes. You'll read more below.
Two antiviruses on the system will give you more trouble than some malware would give you.
ComboFix is a power tool and should be used under supervision of a trained helper.
DrWeb tends to have a high rate of false positives and often removes the legit programs. It should be used just in emergency cases when other tools find nothing or do not run and you need a paranoid approach.


I feel the need to thank you for helping me. Seeing as how my usual approach of buy you a beer sometime won't really work out, is there any way I can contribute to your task force of malware fighting awesomeness? Perhaps learn how to help people myself?


You can join the training here at BC. There is a pinned topic at the top of the first page of Malware Removal subforum with the title Malware Removal Training Program. There are many applicants and the admissions are closed now, but from time to time there is an open slot and you can apply.

How did you get started with this stuff?


Got infected once, cleaned it with automated tools I found on the net as my antivirus couldn't do it, went through logs for a period of time, started helping others at another forum, joined BC training later on and found out it was much more complicated than I initially thought. :)

+++++++++++++++++++++++++++++++++

Everything looks good. :thumbup2:

Go to start => run => copy and paste the next command in the field then hit enter:

"c:\users\Pozi\Desktop\Computer Saving Stuff\Poen.exe" /u


This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

The first reboot might be a little slow, the next one will be faster.

Optional Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • Install Javacools© SpywareBlaster
    SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction. You can find more information and a download link.
    After each update click on Protection Status in the left pane. Then click on Enable All Protection (bottom left of the right pane).
  • The rule of thumb: One AntiVirus with real-time protection, one firewall (other than Windows firewall) and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two or three antispyware but they should not be running at the same time and should be set not to start with Windows.


#13 Poen

Poen
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 07 June 2009 - 06:43 AM

Thanks so much farbar, if I ever vacation to the netherlands, I'll have to find you. I'm gonna go through the training, or at least try.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:36 AM

Posted 07 June 2009 - 07:14 AM

You are very welcome. Will be glad to see here at BC as atranee or in The Netherlands. :thumbup2:

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users