Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirections


  • This topic is locked This topic is locked
18 replies to this topic

#1 Beremat

Beremat

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 22 July 2009 - 10:12 PM

Hello, it appears that I've recently picked up some malware. It completely deleted all my file associations (even .exe!) but I managed to fix that. Now, it seems as if 90% of my google search results redirect to some random page. In addition, my computer has been more sluggish recently (and it is usually blazingly fast, I can post specs if requested). Please help me remove this pest.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Marcin at 23:09:54.82 on Wed 07/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.1958 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Folding@home\Folding@home-x86\FahCore_78.exe
svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Autorun.exe
C:\DOCUME~1\Marcin\LOCALS~1\Temp\{7C9F2A67-8C5C-4D33-97FB-FBA518021912}\setup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloaded Crap\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\microsoft office\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24\RivaTuner.exe" /S
mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
StartupFolder: c:\docume~1\marcin\startm~1\programs\startup\shortc~2.lnk - c:\program files\folding@home\folding@home-x86\Folding@home.exe
StartupFolder: c:\docume~1\marcin\startm~1\programs\startup\shortc~1.lnk - c:\program files\folding@home\folding@home-gpu\Folding@home.exe
StartupFolder: c:\docume~1\marcin\startm~1\programs\startup\wallpaper changer.lnk - c:\program files\wallpapertoy\Wallpapertoy.Exe
StartupFolder: c:\docume~1\marcin\startm~1\programs\startup\µtorrent.lnk - c:\program files\utorrent\uTorrent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.210,85.255.112.65
TCP: {1F5DBF95-32DC-45D0-AD77-30F28A874251} = 85.255.112.210,85.255.112.65
TCP: {4028F906-1320-4B25-85DB-0BAB8A62DF6A} = 85.255.112.210,85.255.112.65
TCP: {6BBB26E1-0C94-411F-90F7-40A11D4F3E7E} = 85.255.112.210,85.255.112.65
TCP: {E385B448-4753-4AEF-B4CC-F35F0E74B825} = 85.255.112.210,85.255.112.65
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\microsoft office\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcin\applic~1\mozilla\firefox\profiles\bem2isc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=mpues&hl=en
FF - component: c:\documents and settings\marcin\application data\mozilla\firefox\profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-1-21 128000]
R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R2 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [2009-4-8 4319136]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S0 cerc6;cerc6; [x]
S3 45af844e-7d71-4e5c-a1be-cae02e9cb96b;45af844e-7d71-4e5c-a1be-cae02e9cb96b;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-5-4 718880]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-4-25 33480048]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD.EXE "%1"
regfile="regedit.exe" "%1"
VBSFile=c:\windows\system32\WScript.exe "%1"

=============== Created Last 30 ================

2009-07-22 23:03 <DIR> --d----- c:\program files\The Witcher Enhanced Edition
2009-07-22 16:07 186,511,822 a------- C:\Unique Landscapes Compilation 1.4.5.omod
2009-07-22 15:24 <DIR> --d----- c:\program files\Bethesda Softworks
2009-07-21 22:03 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-21 21:56 <DIR> --d----- C:\reset associations
2009-07-21 21:54 <DIR> --d----- C:\Repair Permissions
2009-07-21 21:46 16,816 a----r-- c:\windows\system32\drivers\vmnetadapter.sys
2009-07-21 21:46 13,104 a----r-- c:\windows\system32\vnetinst.dll
2009-07-21 21:46 121,392 a------- c:\windows\system32\vmnetdhcp.exe
2009-07-21 21:46 150,064 a------- c:\windows\system32\vmnat.exe
2009-07-21 21:46 25,136 a------- c:\windows\system32\drivers\vmnetuserif.sys
2009-07-21 21:45 50,992 a----r-- c:\windows\system32\vmnetbridge.dll
2009-07-21 21:45 28,592 a----r-- c:\windows\system32\drivers\vmnetbridge.sys
2009-07-21 21:45 17,712 a----r-- c:\windows\system32\drivers\vmnet.sys
2009-07-21 21:45 436,784 a------- c:\windows\system32\vnetlib.dll
2009-07-21 21:45 20,912 a------- c:\windows\system32\drivers\VMkbd.sys
2009-07-21 21:45 1,024 a------- C:\.rnd
2009-07-21 21:44 <DIR> --d----- c:\program files\VMware
2009-07-21 21:44 <DIR> --d----- c:\program files\common files\VMware
2009-07-21 01:55 49 a------- C:\DeSmuME.com.URL
2009-07-21 01:55 382,464 a------- C:\NDeSmuME.exe
2009-07-21 00:31 <DIR> --d----- c:\docume~1\marcin\applic~1\eMule
2009-07-20 23:33 <DIR> --d----- c:\docume~1\marcin\applic~1\TrueCrypt
2009-07-20 23:32 217,664 a------- c:\windows\system32\drivers\truecrypt.sys
2009-07-20 23:32 <DIR> --d----- c:\program files\TrueCrypt
2009-07-20 23:11 <DIR> --d----- c:\docume~1\marcin\applic~1\Tor
2009-07-20 23:11 <DIR> --d----- c:\program files\Vidalia Bundle
2009-07-20 03:09 <DIR> --d----- c:\program files\Tor
2009-07-18 18:11 <DIR> --d----- c:\program files\DOSBox-0.73
2009-07-17 23:24 <DIR> --d----- c:\program files\WinPcap
2009-07-17 23:23 <DIR> --d----- c:\program files\Cain
2009-07-17 22:18 795,215,904 a------- C:\FLT-VCB.BIN
2009-07-17 22:18 73 a------- C:\FLT-VCB.CUE
2009-07-17 22:17 4,231,110,656 a------- C:\hlm-gtasa.iso
2009-07-16 20:22 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-15 00:11 <DIR> --d----- c:\program files\ElastoManiaRegistered
2009-07-13 16:56 189,104 a------- c:\windows\system32\PnkBstrB.xtr
2009-07-13 00:01 4,096 a------- c:\windows\system32\crash
2009-07-12 15:16 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-07-12 14:44 <DIR> --d----- c:\docume~1\marcin\applic~1\Folding@home-x86
2009-07-12 14:39 <DIR> --d----- c:\docume~1\marcin\applic~1\FahMon
2009-07-12 14:38 <DIR> --d----- c:\program files\FahMon
2009-07-12 14:28 <DIR> --d----- c:\program files\Folding@home
2009-07-12 14:28 <DIR> --d----- c:\docume~1\marcin\applic~1\Folding@home-gpu
2009-07-10 11:11 575 a------- c:\windows\qtracker.INI
2009-07-10 10:55 <DIR> --d----- c:\program files\Qtracker
2009-07-10 10:44 139,584 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-10 10:44 22,328 a------- c:\docume~1\marcin\applic~1\PnkBstrK.sys
2009-07-10 10:44 189,104 a------- c:\windows\system32\PnkBstrB.exe
2009-07-10 10:44 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-10 10:43 319 a------- c:\windows\game.ini
2009-07-09 21:26 <DIR> --d----- C:\games
2009-07-08 00:23 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-08 00:18 <DIR> --d----- C:\cmdcons
2009-07-08 00:16 161,792 a------- c:\windows\SWREG.exe
2009-07-08 00:16 155,136 a------- c:\windows\PEV.exe
2009-07-08 00:16 98,816 a------- c:\windows\sed.exe
2009-07-07 14:56 <DIR> --d----- C:\RealTemp
2009-07-05 19:56 <DIR> --d----- c:\program files\common files\DirectX
2009-07-05 19:50 <DIR> --d----- c:\docume~1\marcin\applic~1\NPLUTO Corporation
2009-07-05 19:50 2,736,890 a------- c:\windows\system32\GameMon.des
2009-07-05 19:50 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-07-05 19:50 4,682 a------- c:\windows\system32\npptNT2.sys
2009-07-05 19:50 <DIR> --d----- c:\program files\common files\INCA Shared
2009-07-05 19:25 <DIR> --d----- c:\program files\DriftCity
2009-07-05 18:31 <DIR> --d----- C:\ijji
2009-07-05 18:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ijjigame
2009-07-05 18:29 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-07-05 18:29 157,152 a------- c:\windows\system32\PubPlugin.dll
2009-07-05 18:29 58,800 a------- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-05 18:29 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2009-07-05 18:29 <DIR> --d----- c:\program files\NHN USA
2009-07-05 14:53 <DIR> --d----- c:\docume~1\marcin\applic~1\Turbine
2009-07-05 14:28 <DIR> --d----- c:\program files\Turbine
2009-07-05 02:52 806,187,008 a------- C:\kawashima.iso
2009-07-05 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-07-05 00:15 <DIR> --d----- c:\program files\Pando Networks
2009-07-02 14:55 41,808 a------- c:\windows\system32\xfcodec.dll
2009-07-01 17:57 <DIR> --d----- c:\program files\ATITool
2009-06-28 18:14 8,294,454 a---h--- c:\windows\system32\toyhide.bmp
2009-06-28 18:04 187,072 a------- c:\windows\walltoyUninst.exe
2009-06-28 18:04 <DIR> --d----- c:\program files\WallpaperToy
2009-06-25 16:34 <DIR> --d----- C:\.jagex_cache_32
2009-06-25 16:14 34 a------- c:\documents and settings\marcin\jagex_runescape_preferences.dat
2009-06-25 16:14 <DIR> --d----- c:\windows\.jagex_cache_32
2009-06-25 12:02 <DIR> --d----- c:\program files\common files\Common Share
2009-06-24 23:01 598 a------- c:\windows\eReg.dat
2009-06-24 22:55 <DIR> --d----- C:\~MSSETUP.T
2009-06-24 22:55 <DIR> --d----- c:\program files\Maxis
2009-06-24 22:54 <DIR> --d----- c:\documents and settings\marcin\WINDOWS
2009-06-24 21:24 <DIR> --d----- c:\program files\MKVtoolnix
2009-06-23 23:54 7,680 a--sh--- c:\windows\Thumbs.db
2009-06-23 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DeskSoft
2009-06-23 20:00 <DIR> --d----- c:\docume~1\marcin\applic~1\DeskSoft

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-11 20:27 1,734 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-06-04 17:41 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\dllcache\quartz.dll
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-20 12:46 1,682 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-05-19 19:39 88 ---shr-- c:\docume~1\alluse~1\applic~1\1D6AFE586B.sys
2009-05-17 11:24 0 a------- c:\program files\common files\akkg.exe
2009-05-17 11:24 323,584 a------- c:\program files\common files\SetupMenu.exe
2009-05-17 11:24 0 a------- c:\program files\common files\insta.exe
2009-05-15 23:58 4,069,888 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-05-15 23:39 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-05-15 23:38 335,872 a------- c:\windows\system32\ati2dvag.dll
2009-05-15 23:18 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-05-15 23:17 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-05-15 23:17 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-05-15 23:17 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-05-15 23:17 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-05-15 23:15 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-05-15 23:14 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-05-15 23:07 2,987,136 a------- c:\windows\system32\ati3duag.dll
2009-05-15 22:55 11,423,744 a------- c:\windows\system32\atioglxx.dll
2009-05-15 22:54 2,122,624 a------- c:\windows\system32\ativvaxx.dll
2009-05-15 22:54 887,724 a------- c:\windows\system32\ativva6x.dat
2009-05-15 22:51 311,296 a------- c:\windows\system32\atiiiexx.dll
2009-05-15 22:38 49,664 a------- c:\windows\system32\atimpc32.dll
2009-05-15 22:38 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-05-15 22:33 479,232 a------- c:\windows\system32\atikvmag.dll
2009-05-15 22:31 139,264 a------- c:\windows\system32\atiadlxx.dll
2009-05-15 22:31 17,408 a------- c:\windows\system32\atitvo32.dll
2009-05-15 22:26 376,832 a------- c:\windows\system32\atiok3x2.dll
2009-05-15 22:24 651,264 a------- c:\windows\system32\ati2cqag.dll
2009-05-15 21:35 45,056 a------- c:\windows\system32\aticalrt.dll
2009-05-15 21:34 45,056 a------- c:\windows\system32\aticalcl.dll
2009-05-15 21:33 3,158,016 a------- c:\windows\system32\aticaldd.dll
2009-05-15 21:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-05-14 21:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 21:24 19,558 a------- c:\windows\hpoins01.dat
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-05-06 20:32 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-05 16:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-05-05 15:33 118,784 a------- c:\windows\system32\atibtmon.exe
2009-05-04 18:40 315,392 a------- c:\windows\HideWin.exe
2009-05-04 17:30 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-04-30 17:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 17:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-05 18:03 32 a----r-- c:\documents and settings\all users\hash.dat

============= FINISH: 23:10:16.71 ===============



The Attach.txt is attached to this post.
Thank you in advance for the help.

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 23 July 2009 - 06:48 AM

Hello, Beremat.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 23 July 2009 - 12:37 PM

Hello and thank you for your response. No need to apologize! :thumbup2:

Here is the log.txt :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Marcin at 2009-07-23 13:37:24
Microsoft Windows XP Professional Service Pack 3
System drive C: has 205 GB (44%) free of 467 GB
Total RAM: 2557 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:33 PM, on 7/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Folding@home\Folding@home-x86\FahCore_78.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Folding@home\Folding@home-gpu\Folding@home.exe
C:\Program Files\Folding@home\Folding@home-gpu\FahCore_11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloaded Crap\RSIT.exe
C:\Program Files\trend micro\Marcin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Microsoft Office\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\Microsoft Office\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to Folding@home-x86.exe.lnk = C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
O4 - Startup: Shortcut to Folding@home.exe.lnk = C:\Program Files\Folding@home\Folding@home-gpu\Folding@home.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5DBF95-32DC-45D0-AD77-30F28A874251}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{4028F906-1320-4B25-85DB-0BAB8A62DF6A}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BBB26E1-0C94-411F-90F7-40A11D4F3E7E}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E385B448-4753-4AEF-B4CC-F35F0E74B825}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F5DBF95-32DC-45D0-AD77-30F28A874251}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F5DBF95-32DC-45D0-AD77-30F28A874251}: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.210,85.255.112.65
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 6788 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{892D7CDE-32B1-4751-A6A6-1CDBB822555B}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\Microsoft Office\Office14\GROOVEEX.DLL [2009-04-25 3963280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
Office Document Cache Handler - C:\PROGRA~1\Microsoft Office\Office14\URLREDIR.DLL [2009-04-08 739688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-14 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-14 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"=C:\Program Files\RivaTuner v2.24\RivaTuner.exe [2009-02-25 2781184]
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe [2008-05-16 72240]
"VMware hqtray"=C:\Program Files\VMware\VMware Workstation\hqtray.exe [2008-05-16 55856]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
C:\WINDOWS\ALCWZRD.EXE [2008-06-19 2808832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
C:\Program Files\Microsoft Office\Office14\BCSSync.exe [2009-04-25 58216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\boincmgr]
C:\Program Files\BOINC\boincmgr.exe [2009-03-30 4178688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\boinctray]
C:\Program Files\BOINC\boinctray.exe [2009-03-30 58112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eamonn]
C:\Program Files\Eamonn\bin\Eamonn.exe [2009-06-01 3138048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\PROGRA~1\Microsoft Office\Office14\GROOVEMN.EXE [2009-04-25 875392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe [2009-05-05 306088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTuner]
C:\Program Files\RivaTuner v2.24\RivaTuner.exe [2009-02-25 2781184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
C:\Program Files\RivaTuner v2.24\RivaTuner.exe [2009-02-25 2781184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2008-07-16 16806400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2008-06-18 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-05-20 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-14 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe [2009-03-10 1553920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
C:\PROGRA~1\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
C:\PROGRA~1\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
C:\PROGRA~1\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
C:\PROGRA~1\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe [2009-04-08 122264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^GameRanger.lnk]
C:\DOCUME~1\Marcin\APPLIC~1\GameRanger\GameRanger\GameRanger.exe [2009-05-03 1187504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
C:\PROGRA~1\OpenOffice.org 3\program\quickstart.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^Xfire.lnk]
C:\PROGRA~1\Xfire\Xfire.exe [2009-07-02 3190096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3
"idsvc"=3
"WSearch"=2
"CiSvc"=3
"Microsoft SharePoint Workspace Audit Service"=3
"ose"=3
"Pml Driver HPZ12"=3
"JavaQuickStarterService"=2
"iPod Service"=3
"FLEXnet Licensing Service"=3
"Bonjour Service"=2
"Apple Mobile Device"=2
"McciCMService"=2
"Apache2.2"=2
"IDriverT"=3
"a2free"=2
"npggsvc"=3
"ATI Smart"=2
"Ati HotKey Poller"=2

C:\Documents and Settings\Marcin\Start Menu\Programs\Startup
Shortcut to Folding@home-x86.exe.lnk - C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
Shortcut to Folding@home.exe.lnk - C:\Program Files\Folding@home\Folding@home-gpu\Folding@home.exe
Wallpaper Changer.lnk - C:\Program Files\WallpaperToy\Wallpapertoy.Exe
µTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-05-15 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\Microsoft Office\Office14\GROOVEEX.DLL [2009-04-25 3963280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Program Files\World of Warcraft\Launcher.exe"="C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Nexon\Combat Arms\NMService.exe"="C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"="C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"
"C:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"="C:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV"
"C:\Program Files\Curse\CurseClient.exe"="C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Microsoft Office\Office14\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office14\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace"
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Downloaded Crap\Data\hl2.exe"="C:\Downloaded Crap\Data\hl2.exe:*:Enabled:hl2"
"C:\Documents and Settings\Marcin\Application Data\GameRanger\GameRanger\GameRanger.exe"="C:\Documents and Settings\Marcin\Application Data\GameRanger\GameRanger\GameRanger.exe:*:Enabled:GameRanger"
"C:\Soldat\Soldat.exe"="C:\Soldat\Soldat.exe:*:Enabled:Soldat"
"C:\Program Files\PortableMudMaster\MudMaster.exe"="C:\Program Files\PortableMudMaster\MudMaster.exe:*:Enabled:MudMaster 2k6"
"C:\Program Files\Xfire\dppm_source.exe"="C:\Program Files\Xfire\dppm_source.exe:*:Disabled:Dyyno P2P Source Application"
"C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE"="C:\Program Files\Maxis\SimCity 3000 Unlimited\Apps\Updater\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\World of Warcraft\Repair.exe"="C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"
"C:\Program Files\Turbine\The Lord of the Rings Online\lotroclient.exe"="C:\Program Files\Turbine\The Lord of the Rings Online\lotroclient.exe:*:Enabled:lotroclient"
"C:\ijji\ENGLISH\u_gbound.exe"="C:\ijji\ENGLISH\u_gbound.exe:*:Enabled:<ijji Downloader>"
"C:\Documents and Settings\All Users\Application Data\ijjigame\ExLauncher.exe"="C:\Documents and Settings\All Users\Application Data\ijjigame\ExLauncher.exe:*:Enabled:Extensible Launching System"
"C:\Program Files\DriftCity\DriftCity.exe"="C:\Program Files\DriftCity\DriftCity.exe:*:Enabled:DriftCity"
"C:\ijji\ENGLISH\OutBound_Pul.exe"="C:\ijji\ENGLISH\OutBound_Pul.exe:*:Enabled:OutBound Application"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Qtracker\qtracker.exe"="C:\Program Files\Qtracker\qtracker.exe:*:Enabled:Qtracker"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\Program Files\Cain\Cain.exe"="C:\Program Files\Cain\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\Downloaded Crap\Tor Browser\App\tor.exe"="C:\Downloaded Crap\Tor Browser\App\tor.exe:*:Enabled:tor"
"C:\Program Files\Vidalia Bundle\Tor\tor.exe"="C:\Program Files\Vidalia Bundle\Tor\tor.exe:*:Enabled:tor"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"

======File associations======

.inf - open - C:\WINDOWS\System32\NOTEPAD.EXE "%1"
.ini - open -
.js - open - C:\WINDOWS\System32\WScript.exe "%1"
.reg - open - "regedit.exe" "%1"
.txt - open -
.vbs - open - C:\WINDOWS\System32\WScript.exe "%1"
.cpl - cplopen -

======List of files/folders created in the last 1 months======

2009-07-23 13:37:24 ----D---- C:\rsit
2009-07-23 13:37:24 ----D---- C:\Program Files\trend micro
2009-07-23 00:05:30 ----A---- C:\WINDOWS\system32\CF23915.exe
2009-07-23 00:05:28 ----D---- C:\Qoobox
2009-07-22 23:03:22 ----D---- C:\Program Files\The Witcher Enhanced Edition
2009-07-22 15:24:26 ----D---- C:\Program Files\Bethesda Softworks
2009-07-21 22:03:59 ----D---- C:\Documents and Settings\Marcin\Application Data\VMware
2009-07-21 22:03:45 ----A---- C:\WINDOWS\system32\wmpns.dll
2009-07-21 21:56:06 ----D---- C:\reset associations
2009-07-21 21:54:44 ----D---- C:\Repair Permissions
2009-07-21 21:46:09 ----RA---- C:\WINDOWS\system32\vnetinst.dll
2009-07-21 21:46:04 ----A---- C:\WINDOWS\system32\vmnetdhcp.exe
2009-07-21 21:46:01 ----A---- C:\WINDOWS\system32\vmnat.exe
2009-07-21 21:45:59 ----RA---- C:\WINDOWS\system32\vmnetbridge.dll
2009-07-21 21:45:58 ----A---- C:\WINDOWS\system32\vnetlib.dll
2009-07-21 21:44:55 ----D---- C:\Documents and Settings\All Users\Application Data\VMware
2009-07-21 21:44:34 ----D---- C:\Program Files\VMware
2009-07-21 21:44:34 ----D---- C:\Program Files\Common Files\VMware
2009-07-21 19:15:46 ----D---- C:\Documents and Settings\Marcin\Application Data\Download Manager
2009-07-21 01:58:21 ----A---- C:\log.txt
2009-07-21 01:55:05 ----A---- C:\Readme.txt
2009-07-21 01:55:05 ----A---- C:\DeSmuME.com.URL
2009-07-21 01:55:04 ----A---- C:\NDeSmuME.exe
2009-07-21 01:55:04 ----A---- C:\Key DeSmuMe.txt
2009-07-21 00:31:04 ----D---- C:\Documents and Settings\Marcin\Application Data\eMule
2009-07-20 23:33:06 ----D---- C:\Documents and Settings\Marcin\Application Data\TrueCrypt
2009-07-20 23:32:16 ----D---- C:\Program Files\TrueCrypt
2009-07-20 23:11:43 ----D---- C:\Documents and Settings\Marcin\Application Data\Tor
2009-07-20 23:11:42 ----D---- C:\Program Files\Vidalia Bundle
2009-07-20 23:11:42 ----D---- C:\Documents and Settings\Marcin\Application Data\Vidalia
2009-07-20 03:09:44 ----D---- C:\Program Files\Tor
2009-07-18 18:11:53 ----D---- C:\Program Files\DOSBox-0.73
2009-07-17 23:24:06 ----D---- C:\Program Files\WinPcap
2009-07-17 23:23:42 ----D---- C:\Program Files\Cain
2009-07-16 20:40:43 ----SHD---- C:\Config.Msi
2009-07-16 20:22:26 ----D---- C:\WINDOWS\system32\appmgmt
2009-07-15 10:31:09 ----HD---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-15 10:31:06 ----HD---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-15 10:29:34 ----HD---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-15 00:11:50 ----D---- C:\Program Files\ElastoManiaRegistered
2009-07-14 00:45:31 ----D---- C:\Documents and Settings\Marcin\Application Data\vlc
2009-07-12 15:19:38 ----D---- C:\Documents and Settings\All Users\Application Data\ATI
2009-07-12 15:16:24 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-07-12 14:44:09 ----D---- C:\Documents and Settings\Marcin\Application Data\Folding@home-x86
2009-07-12 14:39:10 ----D---- C:\Documents and Settings\Marcin\Application Data\FahMon
2009-07-12 14:38:58 ----D---- C:\Program Files\FahMon
2009-07-12 14:28:51 ----D---- C:\Program Files\Folding@home
2009-07-12 14:28:51 ----D---- C:\Documents and Settings\Marcin\Application Data\Folding@home-gpu
2009-07-10 11:11:12 ----A---- C:\WINDOWS\qtracker.INI
2009-07-10 10:55:46 ----D---- C:\Program Files\Qtracker
2009-07-10 10:44:01 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-07-10 10:44:01 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-07-10 10:43:59 ----A---- C:\WINDOWS\game.ini
2009-07-09 21:26:47 ----D---- C:\games
2009-07-08 00:28:47 ----SHD---- C:\RECYCLER
2009-07-08 00:24:22 ----D---- C:\WINDOWS\temp
2009-07-08 00:18:02 ----D---- C:\cmdcons
2009-07-08 00:16:23 ----D---- C:\WINDOWS\ERDNT
2009-07-07 14:56:33 ----D---- C:\RealTemp
2009-07-05 19:56:44 ----D---- C:\Program Files\Common Files\DirectX
2009-07-05 19:50:34 ----D---- C:\Documents and Settings\Marcin\Application Data\NPLUTO Corporation
2009-07-05 19:50:10 ----D---- C:\Program Files\Common Files\INCA Shared
2009-07-05 19:25:08 ----D---- C:\Program Files\DriftCity
2009-07-05 18:31:21 ----D---- C:\ijji
2009-07-05 18:31:18 ----HD---- C:\Documents and Settings\Marcin\Application Data\ijjigame
2009-07-05 18:30:43 ----D---- C:\Documents and Settings\All Users\Application Data\ijjigame
2009-07-05 18:29:12 ----D---- C:\Program Files\NHN USA
2009-07-05 18:29:12 ----A---- C:\WINDOWS\system32\PubPlugin.dll
2009-07-05 18:29:12 ----A---- C:\WINDOWS\system32\ijjiSetup.exe
2009-07-05 18:29:12 ----A---- C:\WINDOWS\system32\ijjiProcessRestarter.exe
2009-07-05 18:29:12 ----A---- C:\WINDOWS\system32\ijjiPlugin2.dll
2009-07-05 14:53:57 ----D---- C:\Documents and Settings\Marcin\Application Data\Turbine
2009-07-05 14:28:30 ----D---- C:\Program Files\Turbine
2009-07-05 00:15:32 ----D---- C:\Documents and Settings\All Users\Application Data\PMB Files
2009-07-05 00:15:06 ----D---- C:\Program Files\Pando Networks
2009-07-02 14:55:52 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-07-01 17:57:49 ----D---- C:\Program Files\ATITool
2009-06-28 18:04:55 ----A---- C:\WINDOWS\wallpaperInstall.txt
2009-06-28 18:04:54 ----D---- C:\Program Files\WallpaperToy
2009-06-28 18:04:54 ----A---- C:\WINDOWS\walltoyUninst.exe
2009-06-25 16:34:32 ----D---- C:\.jagex_cache_32
2009-06-25 16:14:28 ----D---- C:\WINDOWS\.jagex_cache_32
2009-06-25 12:48:37 ----A---- C:\Documents and Settings\Marcin\Application Data\AutoGK.ini
2009-06-25 12:08:34 ----D---- C:\Documents and Settings\Marcin\Application Data\Media Player Classic
2009-06-25 12:02:08 ----D---- C:\Program Files\Common Files\Common Share
2009-06-25 12:02:01 ----D---- C:\Program Files\Gabest
2009-06-24 22:55:34 ----D---- C:\~MSSETUP.T
2009-06-24 22:55:28 ----D---- C:\Program Files\Maxis
2009-06-24 21:24:21 ----D---- C:\Program Files\MKVtoolnix

======List of files/folders modified in the last 1 months======

2009-07-23 13:37:24 ----D---- C:\Program Files
2009-07-23 13:37:13 ----D---- C:\Documents and Settings\Marcin\Application Data\uTorrent
2009-07-23 13:36:53 ----D---- C:\Downloaded Crap
2009-07-23 13:35:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-23 13:24:43 ----D---- C:\Program Files\Mozilla Firefox
2009-07-23 11:58:00 ----D---- C:\WINDOWS\system32
2009-07-23 02:12:05 ----D---- C:\WINDOWS
2009-07-23 02:12:05 ----D---- C:\Program Files\Windows Desktop Search
2009-07-23 02:10:25 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-23 02:10:18 ----HD---- C:\WINDOWS\inf
2009-07-23 02:10:18 ----D---- C:\WINDOWS\system32\wbem
2009-07-23 00:55:10 ----D---- C:\Documents and Settings\Marcin\Application Data\Xfire
2009-07-23 00:03:11 ----HD---- C:\Program Files\InstallShield Installation Information
2009-07-22 23:14:55 ----SHD---- C:\WINDOWS\Installer
2009-07-22 23:14:55 ----D---- C:\WINDOWS\system32\drivers
2009-07-22 23:14:00 ----D---- C:\WINDOWS\system32\DirectX
2009-07-22 23:10:00 ----D---- C:\WINDOWS\Prefetch
2009-07-22 23:00:51 ----D---- C:\Program Files\a-squared Free
2009-07-22 15:24:36 ----RSD---- C:\WINDOWS\assembly
2009-07-21 22:03:46 ----A---- C:\WINDOWS\OEWABLog.txt
2009-07-21 22:01:36 ----SD---- C:\WINDOWS\Tasks
2009-07-21 21:45:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-21 21:44:34 ----D---- C:\Program Files\Common Files
2009-07-21 21:41:16 ----D---- C:\Program Files\Microsoft Silverlight
2009-07-20 23:52:18 ----D---- C:\WINDOWS\Config
2009-07-19 20:20:07 ----D---- C:\Program Files\Xfire
2009-07-17 22:15:33 ----D---- C:\Program Files\Rockstar Games
2009-07-17 18:24:06 ----D---- C:\Documents and Settings\Marcin\Application Data\foobar2000
2009-07-17 17:21:38 ----D---- C:\Documents and Settings\Marcin\Application Data\FileZilla
2009-07-17 01:58:15 ----RASH---- C:\boot.ini
2009-07-17 01:58:15 ----A---- C:\WINDOWS\win.ini
2009-07-17 01:58:15 ----A---- C:\WINDOWS\system.ini
2009-07-16 22:23:52 ----D---- C:\DeusEx
2009-07-16 21:09:33 ----D---- C:\WINDOWS\WinSxS
2009-07-16 20:41:32 ----D---- C:\Program Files\OpenOffice.org 3
2009-07-16 20:28:47 ----D---- C:\Program Files\Activision
2009-07-16 20:28:03 ----D---- C:\Program Files\PlaneShift Steel Blue
2009-07-16 20:26:28 ----D---- C:\Program Files\Facade
2009-07-16 20:22:24 ----RSD---- C:\WINDOWS\Fonts
2009-07-15 10:31:11 ----A---- C:\WINDOWS\imsins.BAK
2009-07-15 10:31:09 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-15 10:31:08 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-07-14 22:27:23 ----D---- C:\Program Files\Peggle Nights Deluxe
2009-07-14 00:42:22 ----D---- C:\Lame
2009-07-12 15:17:38 ----D---- C:\Program Files\ATI Technologies
2009-07-11 23:54:32 ----D---- C:\Soldat
2009-07-10 10:44:00 ----D---- C:\WINDOWS\system32\LogFiles
2009-07-10 00:35:13 ----D---- C:\Documents and Settings\All Users\Application Data\BOINC
2009-07-08 00:23:29 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-07-08 00:22:42 ----D---- C:\WINDOWS\AppPatch
2009-07-07 11:10:56 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-07 00:39:27 ----D---- C:\Documents and Settings\Marcin\Application Data\Mozilla
2009-07-06 02:02:25 ----D---- C:\teeworlds-0.5.1-win32
2009-07-02 21:14:31 ----SD---- C:\Documents and Settings\Marcin\Application Data\Microsoft
2009-07-02 18:57:53 ----D---- C:\Rips
2009-07-01 03:02:00 ----D---- C:\WINDOWS\Microsoft.NET
2009-06-28 01:40:00 ----D---- C:\Program Files\HooTech
2009-06-26 13:39:54 ----D---- C:\Documents and Settings\Marcin\Application Data\DeskSoft
2009-06-24 22:55:45 ----D---- C:\Program Files\Microsoft Office
2009-06-24 21:59:39 ----D---- C:\Documents and Settings\Marcin\Application Data\Hamachi
2009-06-24 21:41:05 ----D---- C:\Program Files\foobar2000
2009-06-24 18:19:22 ----A---- C:\WINDOWS\BlendSettings.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ATITool;ATITool Overclocking Utility; C:\WINDOWS\system32\DRIVERS\ATITool.sys [2007-08-08 28968]
R1 atitray;atitray; \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2009-07-20 217664]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-07-22 279712]
R2 hcmon;VMware hcmon; \??\C:\WINDOWS\system32\Drivers\hcmon.sys []
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2009-07-22 25888]
R2 VMnetBridge;VMware Bridge Protocol; C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys [2008-05-16 28592]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys []
R2 vmx86;VMware vmx86; \??\C:\WINDOWS\system32\Drivers\vmx86.sys []
R2 vstor2;Vstor2 Virtual Storage Driver; \??\C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys []
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver; \??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-05-15 4069888]
R3 AtiHdmiService;ATI Function Driver for HDMI Service; C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-06-04 25280]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-07-16 4747776]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2007-11-17 54016]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2007-11-17 22016]
R3 RivaTuner32;RivaTuner32; \??\C:\Program Files\RivaTuner v2.24\RivaTuner32.sys []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 vmkbd;VMware kbd; \??\C:\WINDOWS\system32\drivers\VMkbd.sys []
R3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys [2008-05-16 16816]
S3 45af844e-7d71-4e5c-a1be-cae02e9cb96b;45af844e-7d71-4e5c-a1be-cae02e9cb96b; \??\D:\Player\cds300.dll []
S3 a738p7tl;a738p7tl; C:\WINDOWS\system32\drivers\a738p7tl.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\Marcin\LOCALS~1\Temp\catchme.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2008-12-23 50704]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 osppsvc;Office Software Protection Platform; C:\WINDOWS\system32\OSPPSVC.EXE [2009-04-08 4319136]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-07-13 75064]
R2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\VMware Workstation\vmware-authd.exe [2008-05-16 109104]
R2 VMnetDHCP;VMware DHCP Service; C:\WINDOWS\system32\vmnetdhcp.exe [2008-05-16 121392]
R2 vmount2;VMware Virtual Mount Manager Extended; C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe [2007-03-23 269104]
R2 VMware NAT Service;VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [2008-05-16 150064]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2008-12-23 117264]
S3 ufad-ws60;VMware Agent Service; C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe [2007-11-30 186928]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 a2free;a-squared Free Service; C:\Program Files\a-squared Free\a2service.exe [2009-07-01 718880]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
S4 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-05-15 602112]
S4 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-05-15 593920]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-15 655624]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S4 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-14 152984]
S4 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2009-03-10 303104]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service; C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2009-04-25 33480048]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-02-16 2736890]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-04-08 163688]
S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

And here is info.txt :

info.txt logfile of random's system information tool 1.06 2009-07-23 13:37:40

======Uninstall list======

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Oblivion - Horse Armor Pack-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
Oblivion mod manager 1.1.12-->"C:\Program Files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe"
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
The Witcher Enhanced Edition-->"C:\Program Files\InstallShield Installation Information\{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}\setup.exe" -runfromtemp -l0x0009 -removeonly
VMware Workstation-->MsiExec.exe /I{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}

======Hosts File======

127.0.0.1 activate.adobe.com

======System event log======

Computer Name: XPS630
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 812
Source Name: Tcpip
Time Written: 20090517114742.000000-240
Event Type: warning
User:

Computer Name: XPS630
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 802
Source Name: Tcpip
Time Written: 20090517111813.000000-240
Event Type: warning
User:

Computer Name: XPS630
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 772
Source Name: Tcpip
Time Written: 20090516205820.000000-240
Event Type: warning
User:

Computer Name: XPS630
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 694
Source Name: Tcpip
Time Written: 20090514233557.000000-240
Event Type: warning
User:

Computer Name: XPS630
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 658
Source Name: Tcpip
Time Written: 20090514180345.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: XPS630
Event Code: 1000
Message: Faulting application gtaiv.exe, version 1.0.3.0, faulting module unknown, version 0.0.0.0, fault address 0x0012f460.

Record Number: 347
Source Name: Application Error
Time Written: 20090524183214.000000-240
Event Type: error
User:

Computer Name: XPS630
Event Code: 1000
Message: Faulting application deusex.exe, version 0.0.0.0, faulting module core.dll, version 0.0.0.0, fault address 0x000453a0.

Record Number: 316
Source Name: Application Error
Time Written: 20090520140055.000000-240
Event Type: error
User:

Computer Name: XPS630
Event Code: 1000
Message: Faulting application gtaiv.exe, version 1.0.3.0, faulting module unknown, version 0.0.0.0, fault address 0x0012f460.

Record Number: 315
Source Name: Application Error
Time Written: 20090520123936.000000-240
Event Type: error
User:

Computer Name: XPS630
Event Code: 1000
Message: Faulting application gtaiv.exe, version 1.0.3.0, faulting module xfire_toucan_36913.dll, version 1.0.0.36913, fault address 0x0002c9a5.

Record Number: 314
Source Name: Application Error
Time Written: 20090520112419.000000-240
Event Type: error
User:

Computer Name: XPS630
Event Code: 1000
Message: Faulting application gtaiv.exe, version 1.0.3.0, faulting module gtaiv.exe, version 1.0.3.0, fault address 0x001a7a0b.

Record Number: 312
Source Name: Application Error
Time Written: 20090520112311.000000-240
Event Type: error
User:

======Environment variables======

"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;C:\Program Files\MKVtoolnix
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=170a
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"RGSC"=C:\Program Files\Rockstar Games\Rockstar Games Social Club\1_0_0_0
"RGSCLauncher"=C:\Program Files\Rockstar Games\Rockstar Games Social Club
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------



Also, another problem I noticed is that very few things are listed under Add/Remove programs. I have many more things installed... however this isn't as big of a problem as the Google redirects.

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 24 July 2009 - 11:51 AM

Thanks for posting your log. Logs take a while to process due to intensive research that must be done. Please give me some time to look over your logs and I will post back soon :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 24 July 2009 - 07:31 PM

Sounds good, thanks.

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 25 July 2009 - 05:35 AM

Hello, Beremat.
P2P Program Warning!

uTorrent and Emule

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent and Emule, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    Link 3
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 25 July 2009 - 02:58 PM

ComboFix 09-07-24.01 - Marcin 07/25/2009 15:34.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.2185 [GMT -4:00]
Running from: c:\documents and settings\Marcin\desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\19f5a44d.msi
c:\windows\system32\drivers\ESQULdticcacjpckxeogonagwsovdybmwwicb.sys
c:\windows\system32\drivers\ESQULipxwgilrmxxbquwkrrnsbpflmuyvtrsh.sys
c:\windows\system32\ESQULfdhyqjriudjkymrrbwfjxvwdllteotev.dll
c:\windows\system32\ESQULorgrkvttlxqpdpkhagqbwuhmmqcxvqbh.dll
c:\windows\system32\ESQULtvhbttikhwskymdcmqikaopqpfdgdriu.dll
c:\windows\system32\ESQULvvxctyumteypgnivkbwbsuushsuohphy.dll
c:\windows\system32\ESQULzcounter

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 06:46 . 2009-07-25 06:46 -------- d-----w- c:\program files\MPC HomeCinema
2009-07-25 06:45 . 2009-07-16 19:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-25 06:45 . 2009-03-30 05:57 62149 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-07-25 06:45 . 2009-07-25 06:45 -------- d-----w- c:\program files\ffdshow
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\02 Patches
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\10 Modders Only
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 TNR
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 Balanced Races
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\00 Cobl Core
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\03 Item Interchange
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 Salmo the Baker
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\omod conversion data
2009-07-24 03:52 . 2009-07-24 03:58 -------- d-----w- C:\QTP3
2009-07-24 02:59 . 2009-07-24 03:03 -------- d-----w- c:\program files\vsxu_player_0.1.17
2009-07-23 22:33 . 2009-07-24 00:23 -------- d-----w- c:\program files\Cacheman
2009-07-23 21:35 . 2009-07-24 00:06 -------- d-----w- c:\documents and settings\Marcin\Application Data\Nikon
2009-07-23 21:33 . 2008-01-10 14:51 110592 ----a-r- c:\windows\system32\RCSigProc.dll
2009-07-23 21:33 . 2008-06-12 14:29 6475096 ----a-w- c:\windows\system32\NEFcodec.dll
2009-07-23 21:33 . 2008-01-10 14:16 200704 ----a-r- c:\windows\system32\Strato7.dll
2009-07-23 20:15 . 2009-07-23 20:15 49152 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-07-23 20:15 . 2009-07-23 20:15 57344 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-07-23 20:14 . 2009-07-23 20:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Font Book
2009-07-23 20:13 . 2009-07-23 20:13 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-07-23 20:13 . 2009-07-23 21:35 -------- d-----w- c:\program files\Common Files\Nikon
2009-07-23 20:13 . 2009-07-23 20:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Nikon
2009-07-23 20:13 . 2009-07-23 20:14 -------- d-----w- c:\program files\Nikon
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Ultima_T15
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Error Handlers
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\EnterNHelp
2009-07-23 17:37 . 2009-07-23 17:37 -------- d-----w- C:\rsit
2009-07-23 17:37 . 2009-07-23 17:37 -------- d-----w- c:\program files\trend micro
2009-07-23 04:06 . 2009-07-23 06:03 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\The Witcher
2009-07-23 03:14 . 2009-07-23 03:14 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-23 03:14 . 2009-07-23 03:14 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-23 03:03 . 2009-07-23 04:03 -------- d-----w- c:\program files\The Witcher Enhanced Edition
2009-07-22 19:24 . 2009-07-22 19:24 -------- d-----w- c:\program files\Bethesda Softworks
2009-07-22 02:03 . 2009-07-24 00:09 -------- d-----w- c:\documents and settings\Marcin\Application Data\VMware
2009-07-22 02:03 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-22 02:03 . 2009-07-25 19:34 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-07-22 02:01 . 2009-07-22 02:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-07-22 02:01 . 2009-07-22 02:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-22 01:56 . 2009-07-22 01:56 -------- d-----w- C:\reset associations
2009-07-22 01:54 . 2009-07-22 01:54 -------- d-----w- C:\Repair Permissions
2009-07-22 01:47 . 2009-07-22 01:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-22 01:46 . 2008-05-16 04:51 16816 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-07-22 01:46 . 2008-05-16 04:51 13104 ----a-r- c:\windows\system32\vnetinst.dll
2009-07-22 01:46 . 2008-05-16 04:51 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-07-22 01:46 . 2008-05-16 04:52 25136 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-07-22 01:46 . 2008-05-16 04:51 150064 ----a-w- c:\windows\system32\vmnat.exe
2009-07-22 01:45 . 2008-05-16 04:51 50992 ----a-r- c:\windows\system32\vmnetbridge.dll
2009-07-22 01:45 . 2008-05-16 04:51 28592 ----a-r- c:\windows\system32\drivers\vmnetbridge.sys
2009-07-22 01:45 . 2008-05-16 04:51 17712 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-07-22 01:45 . 2008-05-16 04:51 436784 ----a-w- c:\windows\system32\vnetlib.dll
2009-07-22 01:45 . 2008-05-16 04:52 20912 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-07-22 01:44 . 2009-07-25 19:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\VMware
2009-07-22 01:44 . 2009-07-22 01:44 -------- d-----w- c:\program files\VMware
2009-07-22 01:44 . 2009-07-22 01:44 -------- d-----w- c:\program files\Common Files\VMware
2009-07-21 23:15 . 2009-07-22 03:37 -------- d-----w- c:\documents and settings\Marcin\Application Data\Download Manager
2009-07-21 05:55 . 2006-07-11 17:19 382464 ----a-w- C:\NDeSmuME.exe
2009-07-21 04:31 . 2009-07-21 04:51 -------- d-----w- c:\documents and settings\Marcin\Application Data\eMule
2009-07-21 03:33 . 2009-07-21 03:34 -------- d-----w- c:\documents and settings\Marcin\Application Data\TrueCrypt
2009-07-21 03:32 . 2009-07-21 03:32 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-07-21 03:32 . 2009-07-21 03:32 -------- d-----w- c:\program files\TrueCrypt
2009-07-21 03:11 . 2009-07-22 01:42 -------- d-----w- c:\documents and settings\Marcin\Application Data\Tor
2009-07-21 03:11 . 2009-07-22 01:42 -------- d-----w- c:\documents and settings\Marcin\Application Data\Vidalia
2009-07-21 03:11 . 2009-07-21 03:11 -------- d-----w- c:\program files\Vidalia Bundle
2009-07-20 07:09 . 2009-07-20 07:09 -------- d-----w- c:\program files\Tor
2009-07-18 22:13 . 2009-07-18 22:13 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\DOSBox
2009-07-18 22:11 . 2009-07-18 22:43 -------- d-----w- c:\program files\DOSBox-0.73
2009-07-18 03:24 . 2009-07-18 03:24 -------- d-----w- c:\program files\WinPcap
2009-07-18 03:23 . 2009-07-18 19:31 -------- d-----w- c:\program files\Cain
2009-07-18 02:18 . 2003-05-09 11:59 795215904 ----a-w- C:\FLT-VCB.BIN
2009-07-15 04:11 . 2009-07-15 04:35 -------- d-----w- c:\program files\ElastoManiaRegistered
2009-07-14 17:30 . 2009-07-14 17:30 2138112 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-x86\FahCore_7c.exe
2009-07-14 04:45 . 2009-07-25 07:12 -------- d-----w- c:\documents and settings\Marcin\Application Data\vlc
2009-07-13 04:01 . 2009-07-13 04:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2009-07-13 04:01 . 2009-07-13 04:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Xfire
2009-07-13 03:08 . 2009-07-13 03:08 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\PunkBuster
2009-07-12 19:19 . 2009-07-12 19:19 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ATI
2009-07-12 18:44 . 2009-07-12 18:44 2338816 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-x86\FahCore_78.exe
2009-07-12 03:57 . 2009-07-12 04:00 98304 ----a-w- c:\documents and settings\Marcin\Application Data\Soldat\Battleye\BEClient.dll
2009-07-12 03:57 . 2009-03-28 23:52 94208 ----a-w- c:\documents and settings\Marcin\Application Data\Soldat\Battleye\BEServer.dll
2009-07-10 14:55 . 2009-07-10 15:16 -------- d-----w- c:\program files\Qtracker
2009-07-10 14:44 . 2009-07-21 20:14 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-10 14:44 . 2009-07-10 14:44 22328 ----a-w- c:\documents and settings\Marcin\Application Data\PnkBstrK.sys
2009-07-10 14:44 . 2009-07-21 20:14 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-10 14:44 . 2009-07-13 20:55 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-10 01:26 . 2009-07-10 01:26 -------- d-----w- C:\games
2009-07-07 18:56 . 2009-07-07 18:56 -------- d-----w- C:\RealTemp
2009-07-07 00:18 . 2009-07-01 21:53 52224 ----a-w- c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2009-07-07 00:18 . 2009-07-01 21:53 114688 ----a-w- c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\npmozax.dll
2009-07-05 23:56 . 2009-07-05 23:56 -------- d-----w- c:\program files\Common Files\DirectX
2009-07-05 23:50 . 2009-07-05 23:50 -------- d-----w- c:\documents and settings\Marcin\Application Data\NPLUTO Corporation
2009-07-05 23:50 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-05 23:50 . 2009-07-05 23:50 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-05 23:25 . 2009-07-05 23:50 -------- d-----w- c:\program files\DriftCity
2009-07-05 22:44 . 2009-07-07 18:41 782795312 ----a-w- c:\documents and settings\Marcin\Application Data\ijjigame\DriftCity_Setup.exe
2009-07-05 22:31 . 2009-07-05 22:31 -------- d-----w- C:\ijji
2009-07-05 22:31 . 2009-07-05 23:24 -------- d--h--w- c:\documents and settings\Marcin\Application Data\ijjigame
2009-07-05 22:30 . 2009-07-05 22:30 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ijjigame
2009-07-05 22:29 . 2009-07-05 22:29 -------- d-----w- c:\program files\NHN USA
2009-07-05 22:29 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-05 22:29 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-05 22:29 . 2008-06-12 03:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-05 22:29 . 2008-04-23 18:02 157152 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-05 18:53 . 2009-07-05 18:53 -------- d-----w- c:\documents and settings\Marcin\Application Data\Turbine
2009-07-05 18:53 . 2009-07-05 18:53 129 ----a-w- c:\documents and settings\Marcin\Local Settings\Application Data\fusioncache.dat
2009-07-05 18:53 . 2009-07-05 18:53 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\Turbine
2009-07-05 18:53 . 2009-07-21 00:19 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\ApplicationHistory
2009-07-05 18:28 . 2009-07-05 18:28 -------- d-----w- c:\program files\Turbine
2009-07-05 04:15 . 2009-07-05 18:35 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\PMB Files
2009-07-05 04:15 . 2009-07-05 07:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PMB Files
2009-07-05 04:15 . 2009-07-05 04:15 -------- d-----w- c:\program files\Pando Networks
2009-07-02 18:55 . 2009-07-02 18:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-01 21:57 . 2009-07-01 22:09 -------- d-----w- c:\program files\ATITool
2009-06-28 22:04 . 2009-06-28 22:04 -------- d-----w- c:\program files\WallpaperToy
2009-06-28 22:04 . 2009-06-28 22:04 187072 ----a-w- c:\windows\walltoyUninst.exe
2009-06-25 20:34 . 2009-06-25 20:34 -------- d-----w- C:\.jagex_cache_32
2009-06-25 20:14 . 2009-06-25 20:34 34 ----a-w- c:\documents and settings\Marcin\jagex_runescape_preferences.dat
2009-06-25 20:14 . 2009-06-25 20:14 -------- d-----w- c:\windows\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 21:45 . 2009-05-04 21:54 -------- d-----w- c:\documents and settings\Marcin\Application Data\uTorrent
2009-07-24 17:51 . 2009-05-04 21:47 -------- d-----w- c:\documents and settings\Marcin\Application Data\Xfire
2009-07-24 03:37 . 2009-05-23 02:30 -------- d-----w- c:\documents and settings\Marcin\Application Data\foobar2000
2009-07-24 01:49 . 2009-05-04 21:47 -------- d-----w- c:\program files\Xfire
2009-07-24 00:11 . 2009-07-23 20:14 20 ---h--w- c:\docume~1\ALLUSE~1\APPLIC~1\PKP_DLdw.DAT
2009-07-24 00:09 . 2009-07-23 19:40 20 ---h--w- c:\docume~1\ALLUSE~1\APPLIC~1\PKP_DLdu.DAT
2009-07-23 21:33 . 2009-05-04 21:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 19:40 . 2003-03-18 23:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2009-07-23 06:12 . 2009-05-04 22:20 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-23 03:00 . 2009-05-04 22:59 -------- d-----w- c:\program files\a-squared Free
2009-07-22 01:41 . 2009-07-12 18:44 -------- d-----w- c:\documents and settings\Marcin\Application Data\Folding@home-x86
2009-07-22 01:41 . 2009-05-12 02:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 07:18 . 2009-07-12 18:28 -------- d-----w- c:\documents and settings\Marcin\Application Data\Folding@home-gpu
2009-07-18 02:15 . 2009-05-05 20:35 -------- d-----w- c:\program files\Rockstar Games
2009-07-17 21:21 . 2009-05-10 04:31 -------- d-----w- c:\documents and settings\Marcin\Application Data\FileZilla
2009-07-17 02:27 . 2009-05-04 21:34 76096 ----a-w- c:\documents and settings\Marcin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 00:41 . 2009-05-15 01:49 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 00:28 . 2009-06-15 16:41 -------- d-----w- c:\program files\Activision
2009-07-17 00:28 . 2009-05-25 19:17 -------- d-----w- c:\program files\PlaneShift Steel Blue
2009-07-17 00:26 . 2009-05-24 07:42 -------- d-----w- c:\program files\Facade
2009-07-15 02:27 . 2009-06-08 02:45 22 ----a-w- c:\windows\popcinfot.dat
2009-07-15 02:27 . 2009-06-07 20:55 -------- d-----w- c:\program files\Peggle Nights Deluxe
2009-07-12 19:17 . 2009-05-04 21:42 -------- d-----w- c:\program files\ATI Technologies
2009-07-12 18:44 . 2009-07-12 18:44 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-07-12 18:44 . 2009-07-12 18:44 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-07-12 18:44 . 2009-07-12 18:44 10134 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-07-12 18:44 . 2009-07-12 18:28 -------- d-----w- c:\program files\Folding@home
2009-07-12 18:39 . 2009-07-12 18:39 -------- d-----w- c:\documents and settings\Marcin\Application Data\FahMon
2009-07-12 18:38 . 2009-07-12 18:38 -------- d-----w- c:\program files\FahMon
2009-07-12 18:30 . 2009-07-12 18:30 3203072 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-gpu\FahCore_11.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_98830A63A82EB98D7BA198.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_6FEFF9B68218417F98F549.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_1810542788961D6D988517.exe
2009-07-12 18:28 . 2009-07-12 18:28 10134 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_B97F7EA90C9BD73A9EC027.exe
2009-07-10 04:35 . 2009-05-05 02:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BOINC
2009-06-28 05:40 . 2009-06-22 20:40 -------- d-----w- c:\program files\HooTech
2009-06-26 17:39 . 2009-06-24 00:00 -------- d-----w- c:\documents and settings\Marcin\Application Data\DeskSoft
2009-06-26 17:33 . 2009-06-25 16:02 -------- d-----w- c:\program files\Common Files\Common Share
2009-06-26 17:33 . 2009-06-25 16:02 -------- d-----w- c:\program files\Gabest
2009-06-25 16:08 . 2009-06-25 16:08 -------- d-----w- c:\documents and settings\Marcin\Application Data\Media Player Classic
2009-06-25 03:01 . 2009-06-25 03:01 598 ----a-w- c:\windows\eReg.dat
2009-06-25 02:55 . 2009-06-25 02:55 -------- d-----w- c:\program files\Maxis
2009-06-25 01:59 . 2009-06-04 21:41 -------- d-----w- c:\documents and settings\Marcin\Application Data\Hamachi
2009-06-25 01:41 . 2009-05-23 02:30 -------- d-----w- c:\program files\foobar2000
2009-06-25 01:24 . 2009-06-25 01:24 -------- d-----w- c:\program files\MKVtoolnix
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DeskSoft
2009-06-22 20:49 . 2009-06-22 20:49 -------- d-----w- c:\program files\FXBear Converter
2009-06-19 22:32 . 2009-05-12 01:36 -------- d-----w- c:\documents and settings\Marcin\Application Data\Mount&Blade
2009-06-19 22:32 . 2009-05-12 01:35 -------- d-----w- c:\program files\Mount&Blade
2009-06-19 21:44 . 2009-06-19 21:44 -------- d-----w- c:\program files\PortableMudMaster
2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 00:51 . 2009-06-14 00:51 -------- d-----w- c:\documents and settings\Marcin\Application Data\Soldat
2009-06-14 00:16 . 2009-06-14 00:16 -------- d-----w- c:\documents and settings\Marcin\Application Data\Teeworlds
2009-06-12 00:27 . 2009-05-17 15:25 1734 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-09 21:31 . 2009-06-09 21:30 -------- d-----w- c:\program files\RivaTuner v2.24
2009-06-09 21:23 . 2009-06-09 21:23 -------- d-----w- c:\documents and settings\Marcin\Application Data\atitray
2009-06-09 21:23 . 2009-06-09 21:23 -------- d-----w- c:\program files\Ray Adams
2009-06-07 03:55 . 2009-06-07 03:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ElectricSheep
2009-06-06 21:23 . 2009-06-06 21:22 -------- d-----w- c:\program files\Peggle Extreme
2009-06-06 16:02 . 2009-06-06 16:02 -------- d-----w- c:\program files\Apache Software Foundation
2009-06-05 11:14 . 2009-06-05 11:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-04 21:57 . 2009-06-04 21:57 -------- d-----w- c:\documents and settings\Marcin\Application Data\GameRanger
2009-06-04 21:48 . 2009-06-04 21:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Age of Empires 3
2009-06-04 21:41 . 2009-06-04 21:41 -------- d-----w- c:\program files\Hamachi
2009-06-04 21:41 . 2009-06-04 21:41 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-06-04 21:13 . 2009-06-04 21:13 -------- d-----w- c:\program files\Microsoft Games
2009-06-04 21:12 . 2009-05-04 21:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-03 20:31 . 2009-06-03 20:25 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Motive
2009-06-03 20:27 . 2009-06-03 20:26 -------- d-----w- c:\program files\Verizon
2009-06-03 20:26 . 2009-06-03 20:26 -------- d-----w- c:\documents and settings\Marcin\Application Data\Motive
2009-06-03 20:26 . 2009-06-03 20:25 -------- d-----w- c:\program files\Common Files\Motive
2009-06-03 19:42 . 2009-06-03 19:42 -------- d-----w- c:\program files\WinDirStat
2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 21:29 . 2009-05-14 20:16 -------- d-----w- c:\documents and settings\Marcin\Application Data\mIRC
2009-06-02 21:22 . 2009-05-14 20:16 -------- d-----w- c:\program files\mIRC
2009-05-31 22:46 . 2009-05-15 22:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-05-30 20:21 . 2009-05-30 20:11 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-05-30 18:27 . 2009-05-30 18:26 -------- d-----w- c:\program files\SpeederXP
2009-05-29 00:21 . 2009-05-29 00:21 28672 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{D4685ED2-93BE-45C6-AD27-0AA11ED84795}\_BBD8966ED731_4A6E_AE81_A87CEE3E6DF7.exe
2009-05-26 23:57 . 2009-05-26 23:57 -------- d-----w- c:\program files\7-Zip
2009-05-25 21:57 . 2009-05-15 01:51 1 ----a-w- c:\documents and settings\Marcin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-21 20:01 . 2009-05-21 20:01 10134 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-20 16:46 . 2009-05-19 23:39 1682 --sha-w- c:\docume~1\ALLUSE~1\APPLIC~1\KGyGaAvL.sys
2009-05-19 23:39 . 2009-05-19 23:39 88 --sh--r- c:\docume~1\ALLUSE~1\APPLIC~1\1D6AFE586B.sys
2009-05-17 15:26 . 2009-05-17 15:26 56 --sh--r- c:\windows\system32\6B58FE6A1D.sys
2009-05-17 15:24 . 2009-05-17 15:24 0 ----a-w- c:\program files\Common Files\akkg.exe
2009-05-17 15:24 . 2009-05-17 15:24 323584 ----a-w- c:\program files\Common Files\SetupMenu.exe
2009-05-17 15:24 . 2009-05-17 15:24 0 ----a-w- c:\program files\Common Files\insta.exe
2009-05-16 03:58 . 2008-12-01 22:13 4069888 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-05-16 03:39 . 2008-12-01 20:52 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-05-16 03:38 . 2008-12-01 20:51 335872 ----a-w- c:\windows\system32\ati2dvag.dll
2009-05-16 03:18 . 2008-12-01 20:41 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-05-16 03:17 . 2008-12-01 20:40 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-05-16 03:17 . 2008-12-01 20:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-05-16 03:17 . 2008-12-01 20:40 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-05-16 03:17 . 2008-12-01 20:40 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-05-16 03:15 . 2008-12-01 20:38 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-05-16 03:14 . 2008-12-01 20:37 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-05-16 03:07 . 2008-12-01 20:27 2987136 ----a-w- c:\windows\system32\ati3duag.dll
2009-06-12 16:07 . 2009-05-04 21:38 131584 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-04-08 21:05 739688 ----a-w- c:\progra~1\Microsoft Office\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" [2009-02-25 2781184]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-16 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-05-16 55856]

c:\documents and settings\Marcin\Start Menu\Programs\Startup\
Shortcut to Folding@home-x86.exe.lnk - c:\program files\Folding@home\Folding@home-x86\Folding@home.exe [2008-11-26 449536]
Shortcut to Folding@home.exe.lnk - c:\program files\Folding@home\Folding@home-gpu\Folding@home.exe [2008-11-26 452608]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2009-6-28 110592]
ęTorrent.lnk - c:\program files\uTorrent\uTorrent.exe [2009-5-4 288048]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^GameRanger.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\GameRanger.lnk
backup=c:\windows\pss\GameRanger.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"WSearch"=2 (0x2)
"CiSvc"=3 (0x3)
"Microsoft SharePoint Workspace Audit Service"=3 (0x3)
"ose"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"McciCMService"=2 (0x2)
"Apache2.2"=2 (0x2)
"IDriverT"=3 (0x3)
"a2free"=2 (0x2)
"npggsvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Marcin\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\PortableMudMaster\\MudMaster.exe"=
"c:\\Program Files\\Xfire\\dppm_source.exe"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\ijjigame\\ExLauncher.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\ijji\\ENGLISH\\OutBound_Pul.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Qtracker\\qtracker.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Cain\\Cain.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57591:TCP"= 57591:TCP:Pando Media Booster
"57591:UDP"= 57591:UDP:Pando Media Booster

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [4/8/2009 4:37 PM 4319136]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 7:40 PM 84992]
S0 cerc6;cerc6; [x]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe --> c:\program files\Cacheman\CachemanServ.exe [?]
S3 45af844e-7d71-4e5c-a1be-cae02e9cb96b;45af844e-7d71-4e5c-a1be-cae02e9cb96b;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [4/25/2009 7:18 PM 33480048]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: {{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\docume~1\Marcin\APPLIC~1\Mozilla\Firefox\Profiles\bem2isc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=mpues&hl=en
FF - component: c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.
------- File Associations -------
.
inffile=c:\windows\System32\NOTEPAD.EXE "%1"
VBSFile=c:\windows\System32\WScript.exe "%1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-117609710-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:12,f1,5b,4f,76,2d,5a,cd,71,2c,dc,24,87,3b,f6,fb,7b,7b,ad,b0,0b,
44,f4,7c,2e,fa,a9,7c,dc,66,99,a9,d7,98,e9,e6,6b,5a,65,bc,5c,5f,a8,74,09,7d,\
"rkeysecu"=hex:33,cd,5c,0b,99,0e,80,28,e5,7f,72,c5,f8,cc,3e,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-25 15:41
ComboFix-quarantined-files.txt 2009-07-25 19:41

Pre-Run: 209,549,209,600 bytes free
Post-Run: 209,856,221,184 bytes free

459 --- E O F --- 2009-07-21 23:31




______________________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:57 PM, on 7/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\trend micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Microsoft Office\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\Microsoft Office\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Shortcut to Folding@home-x86.exe.lnk = C:\Program Files\Folding@home\Folding@home-x86\Folding@home.exe
O4 - Startup: Shortcut to Folding@home.exe.lnk = C:\Program Files\Folding@home\Folding@home-gpu\Folding@home.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Linked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.210,85.255.112.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F5DBF95-32DC-45D0-AD77-30F28A874251}: NameServer = 85.255.112.210,85.255.112.65
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Cacheman Service (CachemanService) - Unknown owner - C:\Program Files\Cacheman\CachemanServ.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 5846 bytes



It seems the problem has been fixed. The random system freezes have gone away also. Thank you for your assistance.

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 26 July 2009 - 03:48 AM

Hello, Beremat.
Looks good! We've got a little bit more to do.

I see that you have a gameguard engine running on your computer. Please make sure that whatever game you have running is completely shut down before performing the fixes, as they could interfere with the overall fix.




We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    Driver::
    45af844e-7d71-4e5c-a1be-cae02e9cb96b
    
    File::
    d:\player\cds300.dll
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
NEXT:

We need to use HijackThis to carry out a fix
  • Run HijackThis
  • Click on Do a system scan only.
  • Place a checkmark next to these lines (if still present).

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.210,85.255.112.65
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1F5DBF95-32DC-45D0-AD77-30F28A874251}: NameServer = 85.255.112.210,85.255.112.65


  • Close all windows except HijackThis and click Fix Checked.
  • Restart
NEXT:

We need to run a Kaspersky Scan
  • Go to Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database --> Extended (if available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
  • Click OK
  • Now under select a target to scan, Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log
  • Description of any remaining problems
  • Kaspersky Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 26 July 2009 - 01:45 PM

Here is the newest log.txt from ComboFix.

ComboFix 09-07-25.08 - Marcin 07/26/2009 14:34.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.1769 [GMT -4:00]
Running from: c:\documents and settings\Marcin\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Marcin\My Documents\CFScript.txt

FILE ::
"d:\player\cds300.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_45af844e-7d71-4e5c-a1be-cae02e9cb96b


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 22:51 . 2009-07-25 22:51 -------- d-----w- c:\program files\CoreCodec
2009-07-25 22:28 . 2008-09-27 04:00 118176 ----a-w- c:\windows\patchw.dll
2009-07-25 22:25 . 2009-07-25 22:37 -------- d-----w- c:\program files\Outspark
2009-07-25 06:46 . 2009-07-25 06:46 -------- d-----w- c:\program files\MPC HomeCinema
2009-07-25 06:45 . 2009-07-16 19:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-25 06:45 . 2009-03-30 05:57 62149 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-07-25 06:45 . 2009-07-25 06:45 -------- d-----w- c:\program files\ffdshow
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\02 Patches
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\10 Modders Only
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 TNR
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 Balanced Races
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\00 Cobl Core
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\03 Item Interchange
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\01 Salmo the Baker
2009-07-24 04:28 . 2009-07-24 04:28 -------- d-----w- C:\omod conversion data
2009-07-24 03:52 . 2009-07-24 03:58 -------- d-----w- C:\QTP3
2009-07-24 02:59 . 2009-07-24 03:03 -------- d-----w- c:\program files\vsxu_player_0.1.17
2009-07-23 22:33 . 2009-07-24 00:23 -------- d-----w- c:\program files\Cacheman
2009-07-23 21:35 . 2009-07-24 00:06 -------- d-----w- c:\documents and settings\Marcin\Application Data\Nikon
2009-07-23 21:33 . 2008-01-10 14:51 110592 ----a-r- c:\windows\system32\RCSigProc.dll
2009-07-23 21:33 . 2008-06-12 14:29 6475096 ----a-w- c:\windows\system32\NEFcodec.dll
2009-07-23 21:33 . 2008-01-10 14:16 200704 ----a-r- c:\windows\system32\Strato7.dll
2009-07-23 20:15 . 2009-07-23 20:15 49152 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2009-07-23 20:15 . 2009-07-23 20:15 57344 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-07-23 20:14 . 2009-07-23 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Font Book
2009-07-23 20:13 . 2009-07-23 20:13 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-07-23 20:13 . 2009-07-23 21:35 -------- d-----w- c:\program files\Common Files\Nikon
2009-07-23 20:13 . 2009-07-23 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nikon
2009-07-23 20:13 . 2009-07-23 20:14 -------- d-----w- c:\program files\Nikon
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultima_T15
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Error Handlers
2009-07-23 19:40 . 2009-07-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\EnterNHelp
2009-07-23 17:37 . 2009-07-25 19:57 -------- d-----w- c:\program files\trend micro
2009-07-23 17:37 . 2009-07-23 17:37 -------- d-----w- C:\rsit
2009-07-23 04:06 . 2009-07-23 06:03 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\The Witcher
2009-07-23 03:14 . 2009-07-23 03:14 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-23 03:14 . 2009-07-23 03:14 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-23 03:03 . 2009-07-23 04:03 -------- d-----w- c:\program files\The Witcher Enhanced Edition
2009-07-22 19:24 . 2009-07-22 19:24 -------- d-----w- c:\program files\Bethesda Softworks
2009-07-22 02:03 . 2009-07-26 18:42 -------- d-----w- c:\documents and settings\Marcin\Application Data\VMware
2009-07-22 02:03 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-22 02:03 . 2009-07-26 18:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-07-22 02:01 . 2009-07-22 02:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-07-22 02:01 . 2009-07-22 02:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-22 01:56 . 2009-07-22 01:56 -------- d-----w- C:\reset associations
2009-07-22 01:54 . 2009-07-22 01:54 -------- d-----w- C:\Repair Permissions
2009-07-22 01:47 . 2009-07-22 01:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-22 01:46 . 2008-05-16 04:51 16816 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-07-22 01:46 . 2008-05-16 04:51 13104 ----a-r- c:\windows\system32\vnetinst.dll
2009-07-22 01:46 . 2008-05-16 04:51 121392 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-07-22 01:46 . 2008-05-16 04:52 25136 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-07-22 01:46 . 2008-05-16 04:51 150064 ----a-w- c:\windows\system32\vmnat.exe
2009-07-22 01:45 . 2008-05-16 04:51 50992 ----a-r- c:\windows\system32\vmnetbridge.dll
2009-07-22 01:45 . 2008-05-16 04:51 28592 ----a-r- c:\windows\system32\drivers\vmnetbridge.sys
2009-07-22 01:45 . 2008-05-16 04:51 17712 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-07-22 01:45 . 2008-05-16 04:51 436784 ----a-w- c:\windows\system32\vnetlib.dll
2009-07-22 01:45 . 2008-05-16 04:52 20912 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-07-22 01:44 . 2009-07-26 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-22 01:44 . 2009-07-22 01:44 -------- d-----w- c:\program files\VMware
2009-07-22 01:44 . 2009-07-22 01:44 -------- d-----w- c:\program files\Common Files\VMware
2009-07-21 23:15 . 2009-07-22 03:37 -------- d-----w- c:\documents and settings\Marcin\Application Data\Download Manager
2009-07-21 05:55 . 2006-07-11 17:19 382464 ----a-w- C:\NDeSmuME.exe
2009-07-21 04:31 . 2009-07-21 04:51 -------- d-----w- c:\documents and settings\Marcin\Application Data\eMule
2009-07-21 03:33 . 2009-07-21 03:34 -------- d-----w- c:\documents and settings\Marcin\Application Data\TrueCrypt
2009-07-21 03:32 . 2009-07-21 03:32 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-07-21 03:32 . 2009-07-21 03:32 -------- d-----w- c:\program files\TrueCrypt
2009-07-21 03:11 . 2009-07-22 01:42 -------- d-----w- c:\documents and settings\Marcin\Application Data\Tor
2009-07-21 03:11 . 2009-07-22 01:42 -------- d-----w- c:\documents and settings\Marcin\Application Data\Vidalia
2009-07-21 03:11 . 2009-07-21 03:11 -------- d-----w- c:\program files\Vidalia Bundle
2009-07-20 07:09 . 2009-07-20 07:09 -------- d-----w- c:\program files\Tor
2009-07-18 22:13 . 2009-07-18 22:13 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\DOSBox
2009-07-18 22:11 . 2009-07-18 22:43 -------- d-----w- c:\program files\DOSBox-0.73
2009-07-18 03:24 . 2009-07-18 03:24 -------- d-----w- c:\program files\WinPcap
2009-07-18 03:23 . 2009-07-18 19:31 -------- d-----w- c:\program files\Cain
2009-07-18 02:18 . 2003-05-09 11:59 795215904 ----a-w- C:\FLT-VCB.BIN
2009-07-15 04:11 . 2009-07-15 04:35 -------- d-----w- c:\program files\ElastoManiaRegistered
2009-07-14 17:30 . 2009-07-14 17:30 2138112 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-x86\FahCore_7c.exe
2009-07-14 04:45 . 2009-07-25 22:55 -------- d-----w- c:\documents and settings\Marcin\Application Data\vlc
2009-07-13 03:08 . 2009-07-13 03:08 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\PunkBuster
2009-07-12 19:19 . 2009-07-12 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-07-12 18:44 . 2009-07-12 18:44 2338816 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-x86\FahCore_78.exe
2009-07-12 03:57 . 2009-07-12 04:00 98304 ----a-w- c:\documents and settings\Marcin\Application Data\Soldat\Battleye\BEClient.dll
2009-07-12 03:57 . 2009-03-28 23:52 94208 ----a-w- c:\documents and settings\Marcin\Application Data\Soldat\Battleye\BEServer.dll
2009-07-10 14:55 . 2009-07-10 15:16 -------- d-----w- c:\program files\Qtracker
2009-07-10 14:44 . 2009-07-21 20:14 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-10 14:44 . 2009-07-10 14:44 22328 ----a-w- c:\documents and settings\Marcin\Application Data\PnkBstrK.sys
2009-07-10 14:44 . 2009-07-21 20:14 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-10 14:44 . 2009-07-13 20:55 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-10 01:26 . 2009-07-10 01:26 -------- d-----w- C:\games
2009-07-07 18:56 . 2009-07-07 18:56 -------- d-----w- C:\RealTemp
2009-07-07 00:18 . 2009-07-01 21:53 52224 ----a-w- c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2009-07-07 00:18 . 2009-07-01 21:53 114688 ----a-w- c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\npmozax.dll
2009-07-05 23:56 . 2009-07-05 23:56 -------- d-----w- c:\program files\Common Files\DirectX
2009-07-05 23:50 . 2009-07-05 23:50 -------- d-----w- c:\documents and settings\Marcin\Application Data\NPLUTO Corporation
2009-07-05 23:50 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-05 23:50 . 2009-07-05 23:50 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-05 23:25 . 2009-07-05 23:50 -------- d-----w- c:\program files\DriftCity
2009-07-05 22:44 . 2009-07-07 18:41 782795312 ----a-w- c:\documents and settings\Marcin\Application Data\ijjigame\DriftCity_Setup.exe
2009-07-05 22:31 . 2009-07-05 22:31 -------- d-----w- C:\ijji
2009-07-05 22:31 . 2009-07-05 23:24 -------- d--h--w- c:\documents and settings\Marcin\Application Data\ijjigame
2009-07-05 22:30 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PurpleBean.exe
2009-07-05 22:30 . 2009-05-27 22:08 591320 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ExLauncher.exe
2009-07-05 22:30 . 2008-08-20 14:46 632280 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PLauncher.exe
2009-07-05 22:30 . 2008-09-04 20:34 112048 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ijjiPrePLauncher.exe
2009-07-05 22:30 . 2008-08-28 16:50 480688 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ijjistarter2FxB.exe
2009-07-05 22:30 . 2008-08-28 16:50 83376 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ijjiPreStarter2FxB.exe
2009-07-05 22:30 . 2008-08-28 16:50 79280 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ijjiPreNotify2FxB.exe
2009-07-05 22:30 . 2008-08-28 16:50 50608 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ijjiNotify2FxB.exe
2009-07-05 22:30 . 2009-07-05 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-07-05 22:29 . 2009-07-05 22:29 -------- d-----w- c:\program files\NHN USA
2009-07-05 22:29 . 2009-05-26 21:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-05 22:29 . 2009-05-13 00:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-07-05 22:29 . 2008-06-12 03:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-07-05 22:29 . 2008-04-23 18:02 157152 ----a-w- c:\windows\system32\PubPlugin.dll
2009-07-05 18:53 . 2009-07-05 18:53 -------- d-----w- c:\documents and settings\Marcin\Application Data\Turbine
2009-07-05 18:53 . 2009-07-05 18:53 129 ----a-w- c:\documents and settings\Marcin\Local Settings\Application Data\fusioncache.dat
2009-07-05 18:53 . 2009-07-05 18:53 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\Turbine
2009-07-05 18:53 . 2009-07-21 00:19 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\ApplicationHistory
2009-07-05 18:28 . 2009-07-05 18:28 -------- d-----w- c:\program files\Turbine
2009-07-05 04:15 . 2009-07-26 00:53 -------- d-----w- c:\documents and settings\Marcin\Local Settings\Application Data\PMB Files
2009-07-05 04:15 . 2009-07-25 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-05 04:15 . 2009-07-05 04:15 -------- d-----w- c:\program files\Pando Networks
2009-07-02 18:55 . 2009-07-02 18:55 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-07-01 21:57 . 2009-07-01 22:09 -------- d-----w- c:\program files\ATITool
2009-06-28 22:04 . 2009-06-28 22:04 -------- d-----w- c:\program files\WallpaperToy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 18:42 . 2009-05-04 21:54 -------- d-----w- c:\documents and settings\Marcin\Application Data\uTorrent
2009-07-26 07:10 . 2009-06-04 21:13 -------- d-----w- c:\program files\Microsoft Games
2009-07-26 01:50 . 2009-05-04 21:47 -------- d-----w- c:\documents and settings\Marcin\Application Data\Xfire
2009-07-25 22:37 . 2009-05-04 21:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 03:37 . 2009-05-23 02:30 -------- d-----w- c:\documents and settings\Marcin\Application Data\foobar2000
2009-07-24 01:49 . 2009-05-04 21:47 -------- d-----w- c:\program files\Xfire
2009-07-24 00:11 . 2009-07-23 20:14 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-07-24 00:09 . 2009-07-23 19:40 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-07-23 19:40 . 2003-03-18 23:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2009-07-23 06:12 . 2009-05-04 22:20 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-23 03:00 . 2009-05-04 22:59 -------- d-----w- c:\program files\a-squared Free
2009-07-22 01:41 . 2009-07-12 18:44 -------- d-----w- c:\documents and settings\Marcin\Application Data\Folding@home-x86
2009-07-22 01:41 . 2009-05-12 02:53 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 07:18 . 2009-07-12 18:28 -------- d-----w- c:\documents and settings\Marcin\Application Data\Folding@home-gpu
2009-07-18 02:15 . 2009-05-05 20:35 -------- d-----w- c:\program files\Rockstar Games
2009-07-17 21:21 . 2009-05-10 04:31 -------- d-----w- c:\documents and settings\Marcin\Application Data\FileZilla
2009-07-17 02:27 . 2009-05-04 21:34 76096 ----a-w- c:\documents and settings\Marcin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 00:41 . 2009-05-15 01:49 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 00:28 . 2009-06-15 16:41 -------- d-----w- c:\program files\Activision
2009-07-17 00:28 . 2009-05-25 19:17 -------- d-----w- c:\program files\PlaneShift Steel Blue
2009-07-17 00:26 . 2009-05-24 07:42 -------- d-----w- c:\program files\Facade
2009-07-15 02:27 . 2009-06-08 02:45 22 ----a-w- c:\windows\popcinfot.dat
2009-07-15 02:27 . 2009-06-07 20:55 -------- d-----w- c:\program files\Peggle Nights Deluxe
2009-07-12 19:17 . 2009-05-04 21:42 -------- d-----w- c:\program files\ATI Technologies
2009-07-12 18:44 . 2009-07-12 18:44 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_6FEFF9B68218417F98F549.exe
2009-07-12 18:44 . 2009-07-12 18:44 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
2009-07-12 18:44 . 2009-07-12 18:44 10134 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_D153F602E769D1960CE13B.exe
2009-07-12 18:44 . 2009-07-12 18:28 -------- d-----w- c:\program files\Folding@home
2009-07-12 18:39 . 2009-07-12 18:39 -------- d-----w- c:\documents and settings\Marcin\Application Data\FahMon
2009-07-12 18:38 . 2009-07-12 18:38 -------- d-----w- c:\program files\FahMon
2009-07-12 18:30 . 2009-07-12 18:30 3203072 ----a-w- c:\documents and settings\Marcin\Application Data\Folding@home-gpu\FahCore_11.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_98830A63A82EB98D7BA198.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_6FEFF9B68218417F98F549.exe
2009-07-12 18:28 . 2009-07-12 18:28 98477 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_1810542788961D6D988517.exe
2009-07-12 18:28 . 2009-07-12 18:28 10134 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{6A90C837-054E-44AE-B9BD-1B1F87986BBC}\_B97F7EA90C9BD73A9EC027.exe
2009-07-10 04:35 . 2009-05-05 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC
2009-07-10 04:34 . 2009-06-19 17:03 97 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\astronomy_0.19_ATI_SSE2f.exe
2009-07-10 04:34 . 2009-06-19 17:03 78 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\brook.dll
2009-07-10 04:33 . 2009-06-19 18:06 97 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\astronomy_0.19_ATI_SSE2f.exe
2009-07-10 04:33 . 2009-06-19 18:06 78 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\brook.dll
2009-06-28 05:40 . 2009-06-22 20:40 -------- d-----w- c:\program files\HooTech
2009-06-26 17:39 . 2009-06-24 00:00 -------- d-----w- c:\documents and settings\Marcin\Application Data\DeskSoft
2009-06-26 17:33 . 2009-06-25 16:02 -------- d-----w- c:\program files\Common Files\Common Share
2009-06-26 17:33 . 2009-06-25 16:02 -------- d-----w- c:\program files\Gabest
2009-06-25 20:34 . 2009-06-25 20:14 34 ----a-w- c:\documents and settings\Marcin\jagex_runescape_preferences.dat
2009-06-25 16:08 . 2009-06-25 16:08 -------- d-----w- c:\documents and settings\Marcin\Application Data\Media Player Classic
2009-06-25 03:01 . 2009-06-25 03:01 598 ----a-w- c:\windows\eReg.dat
2009-06-25 02:55 . 2009-06-25 02:55 -------- d-----w- c:\program files\Maxis
2009-06-25 01:59 . 2009-06-04 21:41 -------- d-----w- c:\documents and settings\Marcin\Application Data\Hamachi
2009-06-25 01:41 . 2009-05-23 02:30 -------- d-----w- c:\program files\foobar2000
2009-06-25 01:24 . 2009-06-25 01:24 -------- d-----w- c:\program files\MKVtoolnix
2009-06-24 00:00 . 2009-06-24 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\DeskSoft
2009-06-22 20:49 . 2009-06-22 20:49 -------- d-----w- c:\program files\FXBear Converter
2009-06-19 22:32 . 2009-05-12 01:36 -------- d-----w- c:\documents and settings\Marcin\Application Data\Mount&Blade
2009-06-19 22:32 . 2009-05-12 01:35 -------- d-----w- c:\program files\Mount&Blade
2009-06-19 21:44 . 2009-06-19 21:44 -------- d-----w- c:\program files\PortableMudMaster
2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 19:32 . 2009-05-05 19:49 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-06-15 19:32 . 2009-05-05 19:49 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-06-14 00:51 . 2009-06-14 00:51 -------- d-----w- c:\documents and settings\Marcin\Application Data\Soldat
2009-06-14 00:16 . 2009-06-14 00:16 -------- d-----w- c:\documents and settings\Marcin\Application Data\Teeworlds
2009-06-12 00:27 . 2009-05-17 15:25 1734 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-09 21:31 . 2009-06-09 21:30 -------- d-----w- c:\program files\RivaTuner v2.24
2009-06-09 21:23 . 2009-06-09 21:23 -------- d-----w- c:\documents and settings\Marcin\Application Data\atitray
2009-06-09 21:23 . 2009-06-09 21:23 -------- d-----w- c:\program files\Ray Adams
2009-06-07 03:55 . 2009-06-07 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ElectricSheep
2009-06-06 21:23 . 2009-06-06 21:22 -------- d-----w- c:\program files\Peggle Extreme
2009-06-06 16:02 . 2009-06-06 16:02 -------- d-----w- c:\program files\Apache Software Foundation
2009-06-05 20:46 . 2009-06-06 00:16 1265664 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\astronomy_0.19_ATI_SSE2f.exe
2009-06-05 11:14 . 2009-06-05 11:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-04 21:57 . 2009-06-04 21:57 -------- d-----w- c:\documents and settings\Marcin\Application Data\GameRanger
2009-06-04 21:48 . 2009-06-04 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3
2009-06-04 21:41 . 2009-06-04 21:41 -------- d-----w- c:\program files\Hamachi
2009-06-04 21:41 . 2009-06-04 21:41 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-06-04 21:12 . 2009-05-04 21:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-03 20:31 . 2009-06-03 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-06-03 20:27 . 2009-06-03 20:26 -------- d-----w- c:\program files\Verizon
2009-06-03 20:26 . 2009-06-03 20:26 -------- d-----w- c:\documents and settings\Marcin\Application Data\Motive
2009-06-03 20:26 . 2009-06-03 20:25 -------- d-----w- c:\program files\Common Files\Motive
2009-06-03 19:42 . 2009-06-03 19:42 -------- d-----w- c:\program files\WinDirStat
2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 21:53 . 2009-06-02 21:52 3125607 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\grompp_4.37_windows_intelx86.exe
2009-06-02 21:52 . 2009-06-02 21:52 3089478 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\mdrun_4.37_windows_intelx86.exe
2009-06-02 21:52 . 2009-06-02 21:51 2793472 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\wrapper_graphics_4.37_windows_intelx86.exe
2009-06-02 21:52 . 2009-06-02 21:51 2775594 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\wrapper_4.37_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 84480 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\zip_4.37_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 164864 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\unzip_4.37_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 1621020 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\nanoluz_3.14_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 120832 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\unzip_3.14_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 2792960 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\wrapper_graphics_3.14_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 2775594 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\wrapper_3.14_windows_intelx86.exe
2009-06-02 21:51 . 2009-06-02 21:51 84480 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\registro.ibercivis.es\zip_3.14_windows_intelx86.exe
2009-06-02 21:29 . 2009-05-14 20:16 -------- d-----w- c:\documents and settings\Marcin\Application Data\mIRC
2009-06-02 21:22 . 2009-05-14 20:16 -------- d-----w- c:\program files\mIRC
2009-05-31 22:46 . 2009-05-15 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-30 20:21 . 2009-05-30 20:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-30 18:27 . 2009-05-30 18:26 -------- d-----w- c:\program files\SpeederXP
2009-05-29 00:21 . 2009-05-29 00:21 28672 ----a-r- c:\documents and settings\Marcin\Application Data\Microsoft\Installer\{D4685ED2-93BE-45C6-AD27-0AA11ED84795}\_BBD8966ED731_4A6E_AE81_A87CEE3E6DF7.exe
2009-05-25 21:57 . 2009-05-15 01:51 1 ----a-w- c:\documents and settings\Marcin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-12 16:07 . 2009-05-04 21:38 131584 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-25_19.40.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 18:42 . 2009-07-26 18:42 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2009-07-25 21:12 . 2009-07-25 21:12 16384 c:\windows\temp\Perflib_Perfdata_288.dat
+ 2009-05-04 16:26 . 2009-07-26 18:41 295664 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-22 20:32 . 2008-09-27 04:00 230752 c:\windows\patchw32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-04-08 21:05 739688 ----a-w- c:\progra~1\Microsoft Office\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" [2009-02-25 2781184]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-16 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-05-16 55856]

c:\documents and settings\Marcin\Start Menu\Programs\Startup\
Shortcut to Folding@home-x86.exe.lnk - c:\program files\Folding@home\Folding@home-x86\Folding@home.exe [2008-11-26 449536]
Shortcut to Folding@home.exe.lnk - c:\program files\Folding@home\Folding@home-gpu\Folding@home.exe [2008-11-26 452608]
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2009-6-28 110592]
ęTorrent.lnk - c:\program files\uTorrent\uTorrent.exe [2009-5-4 288048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^GameRanger.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\GameRanger.lnk
backup=c:\windows\pss\GameRanger.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marcin^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Marcin\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"WSearch"=2 (0x2)
"CiSvc"=3 (0x3)
"Microsoft SharePoint Workspace Audit Service"=3 (0x3)
"ose"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"McciCMService"=2 (0x2)
"Apache2.2"=2 (0x2)
"IDriverT"=3 (0x3)
"a2free"=2 (0x2)
"npggsvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Marcin\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Soldat\\Soldat.exe"=
"c:\\Program Files\\PortableMudMaster\\MudMaster.exe"=
"c:\\Program Files\\Xfire\\dppm_source.exe"=
"c:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\ijjigame\\ExLauncher.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\ijji\\ENGLISH\\OutBound_Pul.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Qtracker\\qtracker.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Cain\\Cain.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57591:TCP"= 57591:TCP:Pando Media Booster
"57591:UDP"= 57591:UDP:Pando Media Booster

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 osppsvc;Office Software Protection Platform;c:\windows\system32\OSPPSVC.EXE [4/8/2009 4:37 PM 4319136]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 7:40 PM 84992]
S0 cerc6;cerc6; [x]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe --> c:\program files\Cacheman\CachemanServ.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [4/25/2009 7:18 PM 33480048]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\User_Feed_Synchronization-{892D7CDE-32B1-4751-A6A6-1CDBB822555B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2009-07-26 c:\windows\Tasks\User_Feed_Synchronization-{D9810FF7-11F1-4EDA-8FF9-D92593443F48}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: {{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=mpues&hl=en
FF - component: c:\documents and settings\Marcin\Application Data\Mozilla\Firefox\Profiles\bem2isc0.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-117609710-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:12,f1,5b,4f,76,2d,5a,cd,71,2c,dc,24,87,3b,f6,fb,7b,7b,ad,b0,0b,
44,f4,7c,2e,fa,a9,7c,dc,66,99,a9,d7,98,e9,e6,6b,5a,65,bc,5c,5f,a8,74,09,7d,\
"rkeysecu"=hex:33,cd,5c,0b,99,0e,80,28,e5,7f,72,c5,f8,cc,3e,8d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\progra~1\Microsoft Office\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Folding@home\Folding@home-x86\FahCore_7c.exe
c:\program files\Folding@home\Folding@home-gpu\FahCore_11.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
.
**************************************************************************
.
Completion time: 2009-07-26 14:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 18:46
ComboFix2.txt 2009-07-25 19:41

Pre-Run: 207,319,470,080 bytes free
Post-Run: 207,243,821,056 bytes free

487 --- E O F --- 2009-07-21 23:31



HijackThis did not display those O17 lines. I'm starting the Kaspersky scan now.

Edited by Beremat, 26 July 2009 - 01:47 PM.


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 26 July 2009 - 01:52 PM

HijackThis did not display those O17 lines. I'm starting the Kaspersky scan now.

Okay :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 26 July 2009 - 07:14 PM

I attached the Kaspersky results to the post (it saved an HTML file.) It looks like there are still some things left over. Any special ways to take care of them or can I just delete them?

Attached Files



#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 27 July 2009 - 05:43 AM

Hello, Beremat.
There seems to be only file of concern at the moment.

It is this one:
C:\Program Files\FXBear Converter\FX Bear Converter.exe

Do you recognize it?

NEXT:

We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Go to the Jotti website
  • When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    C:\Program Files\FXBear Converter\FX Bear Converter.exe

  • Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it
[/url]


In your next reply, please include the following:
  • Jotti Log(s)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 28 July 2009 - 01:37 PM

http://www.virustotal.com/analisis/d42eeaf...e728-1231837199

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:01 PM

Posted 29 July 2009 - 04:12 AM

Hi Beremat!

Did you install this program by yourself? Do you recognize it?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 Beremat

Beremat
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 29 July 2009 - 02:33 PM

Hi Beremat!

Did you install this program by yourself? Do you recognize it?

Well, yeah, I installed it, it was supposed to be a music converter, but it never worked and I never managed to remove it. I tried deleting it, but it just installs itself again. The virus scan is right, it is a virus.

Edited by Beremat, 29 July 2009 - 02:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users