Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected – search results redirected, random pop ups


  • This topic is locked This topic is locked
21 replies to this topic

#1 Rhawn

Rhawn

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 15 March 2010 - 06:09 PM

Creating a new post per request from post in the "Am I infected forum". Here is that post: http://www.bleepingcomputer.com/forums/ind...p;#entry1661463

Thanks in advance for your assistance. Here are the requested logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rhawn at 17:58:27.23 on Mon 03/15/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.127 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\program files\steam\steam.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
D:\Program Files\Pandora\Pandora.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Sony Online Entertainment\Station Launcher\StationLauncher.exe
D:\Program Files\Sony Games\Everquest II\EverQuest2.exe
D:\Program Files\Sony Games\Everquest II\EQ2VoiceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rhawn\My Documents\dds.scr

============== Pseudo HJT Report ===============

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] d:\program files\download manager\dlm.exe /windowsstart /startifwork
uRun: [PlayNC Launcher]
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: []
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "d:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\rhawn\startm~1\programs\startup\pandora.lnk - d:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - d:\program files\pixela\imagemixer 3 se ver.3\CameraMonitor.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rhawn\applic~1\mozilla\firefox\profiles\rj1fih81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\rhawn\application data\mozilla\firefox\profiles\rj1fih81.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\rhawn\application data\mozilla\firefox\profiles\rj1fih81.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\rhawn\application data\mozilla\firefox\profiles\rj1fih81.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\rhawn\application data\mozilla\firefox\profiles\rj1fih81.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - plugin: d:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-3-23 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-11-16 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-27 12672]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-6-17 47640]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\logmein\x86\rainfo.sys --> d:\program files\logmein\x86\RaInfo.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-9 30192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-03-11 16:41:45 0 d-sh--w- C:\found.000
2010-03-11 15:18:53 65 ----a-w- c:\windows\system32\tmp.files0
2010-03-11 13:55:22 0 d-----w- c:\documents and settings\rhawn\DoctorWeb
2010-03-10 04:33:39 0 d-----w- c:\program files\Sony Online Entertainment
2010-03-09 16:21:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-09 16:21:19 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-09 16:21:18 0 d-----w- c:\docume~1\rhawn\applic~1\SUPERAntiSpyware.com
2010-03-07 01:32:11 0 ----a-w- c:\documents and settings\rhawn\defogger_reenable
2010-03-06 17:13:38 0 d-----w- c:\program files\TrendMicro
2010-03-04 02:14:00 0 d-----w- c:\program files\ESET
2010-03-03 05:36:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-03 04:14:47 0 d-----w- c:\program files\AVG
2010-03-03 01:02:51 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-20 16:07:26 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-02-20 16:07:25 0 d-----w- c:\docume~1\rhawn\applic~1\AVS4YOU
2010-02-20 16:06:43 0 d-----w- c:\program files\AVS4YOU
2010-02-20 16:06:06 0 d-----w- c:\program files\common files\AVSMedia
2010-02-20 16:05:52 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-02-20 16:05:52 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-02-20 16:05:52 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-02-20 16:05:52 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-20 16:05:52 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

==================== Find3M ====================

2010-03-13 06:52:53 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-29 03:10:53 138056 ----a-w- c:\docume~1\rhawn\applic~1\PnkBstrK.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

============= FINISH: 17:59:49.82 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 18:46:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Rhawn\LOCALS~1\Temp\axddrpob.sys


---- System - GMER 1.0.15 ----

SSDT 89221A70 ZwAssignProcessToJobObject
SSDT 892225F0 ZwDebugActiveProcess
SSDT 89222020 ZwDuplicateObject
SSDT 892211B0 ZwOpenProcess
SSDT 892214B0 ZwOpenThread
SSDT 89221EB0 ZwProtectVirtualMemory
SSDT 89221D50 ZwSetContextThread
SSDT 89221BD0 ZwSetInformationThread
SSDT 8921EA90 ZwSetSecurityObject
SSDT 89221910 ZwSuspendProcess
SSDT 892217B0 ZwSuspendThread
SSDT 89221340 ZwTerminateProcess
SSDT 89221640 ZwTerminateThread
SSDT 89222440 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89C3ECA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 17 March 2010 - 08:22 PM

Hello, Rhawn.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2010 - 10:01 AM

aommaster,

Thank you very much for your reply. I understand that I was not supposed to make any changes to my infected computer. However, just 2 days ago, on the 16th, my issue went from search results redirected to a full on viral assault. I was unable to run any executables, fake virus programs were popping up and taking over my pc. Unable to use my pc, I attempted to use a couple methods from my original post. I apologize for doing what I did, but my pc was completely jacked up.

Here is exactly what I did:
I shut down the pc, and started it in Safe Mode.
I ran rkill.scr
I ran Malware Bytes and did a quick scan. It found several things, I posted the log below.
I ran SuperAntiSpyware, which found several things, but I did not get a log captured.

Surprisingly, the search redirect issue, as well as the full on attack seems to be cleared up. However, I still am having issue, as several of my applications are unable to connect to the internet. I am able to browse, but apps like Digsby and Station Launcher cannot connect.

I will run the requested programs now and add the logs in another reply.




Malwarebytes' Anti-Malware 1.44
Database version: 3853
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

3/16/2010 3:36:07 PM
mbam-log-2010-03-16 (15-36-07).txt

Scan type: Quick Scan
Objects scanned: 132892
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wijkusgy (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\KPkq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 18 March 2010 - 10:09 AM

Hi!

No problem! Thanks for letting me know which steps you've taken so far. Post up the RSIT and GMER logs and we'll get you cleaned up smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2010 - 01:26 PM

Adding requested logs:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Rhawn at 2010-03-18 11:02:07
Microsoft Windows XP Professional Service Pack 3
System drive C: has 25 GB (55%) free of 45 GB
Total RAM: 2046 MB (53% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-11 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-16 16855552]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
""= []
"amd_dc_opt"=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2008-07-22 77824]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-04-28 570664]
"NBKeyScan"=D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2008-02-18 2221352]
"nwiz"=C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2009-08-12 1657376]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-08-17 13877248]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-08-17 86016]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-11-19 623960]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-09 30192]
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"Acrobat Assistant 8.0"=D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2007-05-10 624248]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-11-16 2054360]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"igndlm.exe"=D:\Program Files\Download Manager\dlm.exe [2009-05-14 1103216]
"PlayNC Launcher"= []
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2008-02-28 1828136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ImageMixer 3 SE Camera Monitor Ver.3.lnk - D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe

C:\Documents and Settings\Rhawn\Start Menu\Programs\Startup
Pandora.lnk - D:\Program Files\Pandora\Pandora.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Steam\Steam.exe"="D:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\Program Files\Electronic Arts\Battlefield Bad Company 2 - BETA\BFBC2BetaUpdater.exe"="D:\Program Files\Electronic Arts\Battlefield Bad Company 2 - BETA\BFBC2BetaUpdater.exe:*:Enabled:Battlefield Bad Company 2 - BETA"
"D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe"="D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer"
"D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe"="D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2"
"D:\Program Files\Steam\steamapps\common\borderlands\Binaries\Borderlands.exe"="D:\Program Files\Steam\steamapps\common\borderlands\Binaries\Borderlands.exe:*:Enabled:Borderlands"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"D:\Program Files\Digsby\lib\digsby-app.exe"="D:\Program Files\Digsby\lib\digsby-app.exe:*:Disabled:Digsby IM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-03-18 11:02:07 ----D---- C:\rsit
2010-03-16 15:26:10 ----A---- C:\WINDOWS\ntbtlog.txt
2010-03-11 12:41:45 ----SHD---- C:\found.000
2010-03-11 04:01:45 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-10 00:33:39 ----D---- C:\Program Files\Sony Online Entertainment
2010-03-09 12:21:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-09 12:21:19 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-09 12:21:18 ----D---- C:\Documents and Settings\Rhawn\Application Data\SUPERAntiSpyware.com
2010-03-06 13:13:38 ----D---- C:\Program Files\TrendMicro
2010-03-04 13:26:12 ----A---- C:\RootRepeal report 03-04-10 (12-26-12).txt
2010-03-04 11:06:21 ----A---- C:\RootRepeal report 03-04-10 (10-06-21).txt
2010-03-03 22:14:00 ----D---- C:\Program Files\ESET
2010-03-03 22:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2010-03-03 00:14:47 ----D---- C:\Program Files\AVG
2010-02-24 04:00:16 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-20 12:07:26 ----D---- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2010-02-20 12:07:25 ----D---- C:\Documents and Settings\Rhawn\Application Data\AVS4YOU
2010-02-20 12:06:43 ----D---- C:\Program Files\AVS4YOU
2010-02-20 12:06:06 ----D---- C:\Program Files\Common Files\AVSMedia
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msxml3a.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msvcr70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msvcp70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\mfc70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\GdiPlus.dll

======List of files/folders modified in the last 1 months======

2010-03-18 11:01:30 ----D---- C:\WINDOWS\Temp
2010-03-18 10:55:48 ----D---- C:\WINDOWS\Prefetch
2010-03-17 20:47:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-17 08:57:52 ----SHD---- C:\WINDOWS\Installer
2010-03-17 08:57:50 ----D---- C:\Program Files\Mozilla Firefox
2010-03-17 08:57:39 ----HD---- C:\Program Files\InstallShield Installation Information
2010-03-16 21:03:00 ----D---- C:\WINDOWS\system32
2010-03-16 21:03:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-16 15:38:52 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-16 15:37:17 ----D---- C:\WINDOWS\system32\drivers
2010-03-16 15:26:10 ----D---- C:\WINDOWS
2010-03-16 10:33:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-11 12:36:10 ----RSH---- C:\boot.ini
2010-03-11 12:36:10 ----A---- C:\WINDOWS\win.ini
2010-03-11 12:36:10 ----A---- C:\WINDOWS\system.ini
2010-03-11 04:01:48 ----D---- C:\Program Files\Movie Maker
2010-03-11 04:01:35 ----HD---- C:\WINDOWS\inf
2010-03-11 04:01:33 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-11 04:00:24 ----D---- C:\WINDOWS\Debug
2010-03-10 00:33:39 ----RD---- C:\Program Files
2010-03-09 12:21:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-05 15:24:11 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-03 21:53:25 ----SD---- C:\Documents and Settings\Rhawn\Application Data\Microsoft
2010-03-03 00:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2010-03-03 00:09:08 ----D---- C:\Program Files\Common Files
2010-03-03 00:04:16 ----SD---- C:\WINDOWS\Tasks
2010-03-02 15:28:59 ----D---- C:\Documents and Settings
2010-03-02 15:24:37 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-02 08:59:17 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-02 08:52:48 ----D---- C:\Program Files\SpywareBlaster
2010-03-02 01:30:12 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-25 21:23:22 ----D---- C:\Documents and Settings\Rhawn\Application Data\Adobe
2010-02-25 12:28:49 ----D---- C:\Documents and Settings\Rhawn\Application Data\Sony Online Entertainment
2010-02-21 20:04:55 ----D---- C:\WINDOWS\system32\Restore
2010-02-21 13:58:00 ----D---- C:\Documents and Settings\Rhawn\Application Data\ZoomBrowser EX
2010-02-20 12:06:12 ----RSD---- C:\WINDOWS\Fonts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 BIOS;BIOS; \??\C:\WINDOWS\system32\drivers\BIOS.sys []
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 cpuz132;cpuz132; \??\C:\WINDOWS\system32\drivers\cpuz132_x32.sys []
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-08-17 7729568]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S2 LMIInfo;LogMeIn Kernel Information Provider; \??\D:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-13 20543]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2008-02-18 877864]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-11-27 135221]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-11-27 65593]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-08-17 168004]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-01 654848]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-09 30192]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-08-30 3407412]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-03-18 11:02:11

======Uninstall list======

-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->D:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->MsiExec /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Add or Remove Adobe Creative Suite 3 Master Collection-->C:\Program Files\Common Files\Adobe\Installers\4dcfd9b7e901b57f81f667144603236\Setup.exe
Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe After Effects CS3-->MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3-->MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Creative Suite 3 Master Collection-->MsiExec.exe /I{8718DC03-D066-4957-94E5-50C3C5042E8E}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3-->MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe Encore CS3 Codecs-->MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe Encore CS3-->MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Fireworks CS3-->MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 Functional Content-->MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content-->MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Premiere Pro CS3-->MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Setup-->MsiExec.exe /I{4458C442-7376-4CF9-AF58-E8CEA6722363}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Soundbooth CS3 Codecs-->MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Soundbooth CS3-->MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Version Cue CS3 Server-->MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
AVS Update Manager 1.0-->"C:\Program Files\AVS4YOU\AVSUpdateManager\unins000.exe"
AVS Video Editor 4-->"D:\Program Files\AVS4YOU\AVSVideoEditor\unins000.exe"
AVS Video Recorder 2.4-->"C:\Program Files\AVS4YOU\AVSVideoRecorder\unins000.exe"
AVS YouTube Uploader version 2.1-->"C:\Program Files\AVS4YOU\AVSYouTubeUploader\unins000.exe"
AVS4YOU Software Navigator 1.3-->"C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe"
BlackBerry Desktop Software 5.0.1-->MsiExec.exe /I{205A5182-EFC8-4C25-B61D-C164F8FF4048}
BlackBerry Desktop Software 5.0.1-->MsiExec.exe /i{205A5182-EFC8-4C25-B61D-C164F8FF4048}
Borderlands-->"D:\Program Files\Steam\steam.exe" steam://uninstall/8980
Buddy Adder Pro-->MsiExec.exe /I{F177280E-5B21-47FF-B5D0-6451B1426D42}
Bulk Rename Utility 2.7.1.1-->"d:\Program Files\Bulk Rename Utility\unins000.exe"
Call of Duty: Modern Warfare 2 - Multiplayer-->"D:\Program Files\Steam\steam.exe" steam://uninstall/10190
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities CameraWindow-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility-->"C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
CCleaner (remove only)-->"D:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CPUID CPU-Z 1.52.2-->"d:\Program Files\CPUID\CPU-Z\unins000.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Digsby-->D:\Program Files\Digsby\uninstall.exe
Download Manager 2.3.8-->D:\Program Files\Download Manager\uninst.exe
Dual-Core Optimizer-->MsiExec.exe /X{9FD6F1A8-5550-46AF-8509-271DF0E768B5}
Easy Adder 3.43-->"d:\Program Files\Easy Adder\unins000.exe"
EQ2MAP Updater 1.2.4-->D:\Program Files\EQ2MAP Updater\uninst.exe
FileZilla Client 3.2.7.1-->d:\Program Files\FileZilla FTP Client\uninstall.exe
FriendBlasterPro-->"C:\Program Files\FriendBlasterPro\unins000.exe"
Global Agenda Live-->"D:\Program Files\Steam\steam.exe" steam://uninstall/17020
Google AdWords Editor-->MsiExec.exe /I{F6249ABF-F16D-4AF3-8755-4D62F799C238}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Image Resizer Powertoy for Windows XP-->MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
ImageMixer 3 SE Ver.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A95D49D-0076-4DB7-A91E-0E685DC6D6AD}\setup.exe" -l0x9 UNINSTALL -removeonly
ImgBurn-->"D:\Program Files\ImgBurn\uninstall.exe"
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
JoomlaPack Native Tools 2009.4-->"D:\Program Files\JoomlaPack Native Tools\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{FD052FB9-FE90-4438-B355-15EDC89D8FB1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Munch My Articles-->"C:\Program Files\SEO Munchies\Munch My Articles\includes\uninst\unins000.exe"
NCsoft Launcher-->"C:\Program Files\InstallShield Installation Information\{C9FB868B-2086-4EE2-BD4F-BFBA36B131F4}\setup.exe" -runfromtemp -l0x0009 -removeonly
Nero 8-->MsiExec.exe /X{3C5F1B30-B10B-4579-86DD-D00F662E1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
NVIDIA nView Desktop Manager-->C:\Program Files\NVIDIA Corporation\nView\nViewSetup.exe -uninstall
NVIDIA PhysX-->MsiExec.exe /X{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}
Pandora-->msiexec /qb /x {BF4A5346-599E-E1A8-99C4-E46DA044A6A2}
Pandora-->MsiExec.exe /I{BF4A5346-599E-E1A8-99C4-E46DA044A6A2}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
RocketDock 1.3.5-->"D:\Program Files\RocketDock\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
SEO PowerSuite-->"D:\Program Files\SEO PowerSuite\Uninstall.exe"
Skype web features-->MsiExec.exe /I{F1362843-0E0E-4F74-8662-724CF101ADCE}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Spybot - Search & Destroy-->"D:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
Station Launcher-->"C:\Program Files\InstallShield Installation Information\{49668BEE-D721-449C-82D3-C7561945F706}\setup.exe" -runfromtemp -l0x0009 -removeonly
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp-->"d:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->d:\Program Files\WinRAR\uninstall.exe
WinSCP 4.2.4 beta-->"D:\Program Files\WinSCP\unins000.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: ESET NOD32 Antivirus 4.0

======System event log======

Computer Name: RHAWN02
Event Code: 7034
Message: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Record Number: 20491
Source Name: Service Control Manager
Time Written: 20100310090302.000000-300
Event Type: error
User:

Computer Name: RHAWN02
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 20490
Source Name: W32Time
Time Written: 20100310084351.000000-300
Event Type: warning
User:

Computer Name: RHAWN02
Event Code: 7000
Message: The LogMeIn Kernel Information Provider service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 20455
Source Name: Service Control Manager
Time Written: 20100309185108.000000-300
Event Type: error
User:

Computer Name: RHAWN02
Event Code: 49
Message: Configuring the Page file for crash dump failed. Make sure there is a page
file on the boot partition and that is large enough to contain all physical
memory.

Record Number: 20452
Source Name: Ftdisk
Time Written: 20100309185053.000000-300
Event Type: error
User:

Computer Name: RHAWN02
Event Code: 45
Message: The system could not sucessfully load the crash dump driver.

Record Number: 20451
Source Name: Ftdisk
Time Written: 20100309185053.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: RHAWN02
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 8830
Source Name: PerfDisk
Time Written: 20100122034841.000000-300
Event Type: warning
User:

Computer Name: RHAWN02
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 8829
Source Name: PerfDisk
Time Written: 20100122034841.000000-300
Event Type: warning
User:

Computer Name: RHAWN02
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 8828
Source Name: PerfDisk
Time Written: 20100122034840.000000-300
Event Type: warning
User:

Computer Name: RHAWN02
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 8827
Source Name: PerfDisk
Time Written: 20100122034839.000000-300
Event Type: warning
User:

Computer Name: RHAWN02
Event Code: 2001
Message: Unable to read the disk performance information from the system.
Disk performance counters must be enabled for at least one
physical disk or logical volume in order for these counters to appear.
Disk performance counters can be enabled by using the Hardware Device Manager property pages.
Status code returned is data DWORD 0.

Record Number: 8826
Source Name: PerfDisk
Time Written: 20100122034838.000000-300
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 14:19:57
Windows 5.1.2600 Service Pack 3
Running: bxmqeqoe.exe; Driver: C:\DOCUME~1\Rhawn\LOCALS~1\Temp\axddrpob.sys


---- System - GMER 1.0.15 ----

SSDT 89218A70 ZwAssignProcessToJobObject
SSDT 892195F0 ZwDebugActiveProcess
SSDT 89219020 ZwDuplicateObject
SSDT 892181B0 ZwOpenProcess
SSDT 892184B0 ZwOpenThread
SSDT 89218EB0 ZwProtectVirtualMemory
SSDT 89218D50 ZwSetContextThread
SSDT 89218BD0 ZwSetInformationThread
SSDT 89215A90 ZwSetSecurityObject
SSDT 89218910 ZwSuspendProcess
SSDT 892187B0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA39A320]
SSDT 89218640 ZwTerminateThread
SSDT 89219440 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89C42CA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 18 March 2010 - 03:53 PM

Hello, Rhawn.
Doesn't look like HJT downloaded. I'd like to see the log first before we proceed. So let's get a log now:

We need to download and run HijackThis
  1. Please go here to download HijackThis!
  2. Download the installer and install Hijackthis!
  3. Run HijackThis!
  4. Click Do a system scan and save a log file
  5. Once the scan is done, a log will appear
  6. Copy and paste its contents into your next reply

In your next reply, please include the following:
  • HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2010 - 04:13 PM

Thank for your response. Here is the requested log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:08 PM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
D:\Program Files\Pandora\Pandora.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Sony Games\Everquest II\EverQuest2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
d:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Rhawn\LOCALS~1\Temp\Rar$EX00.406\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.3.lnk = D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 10708 bytes


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 18 March 2010 - 05:01 PM

Hello, Rhawn.
We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to run TDSSKiller
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks and do not include the word "Code") Then press OK.
    CODE
    "%userprofile%\Desktop\TDSSKiller.exe" -l "%userprofile%\Desktop\TDSSKiller.txt" -v

    **Note:If it says "Hidden service detected" DO NOT type anything in. Just press Enter.
  4. When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here

NEXT:

We need to use HijackThis to carry out a fix
  1. Click Start > Programs > Trend Micro > HijackThis!
  2. Click on Do a system scan only.
  3. Place a checkmark next to these lines (if still present).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


  4. Close all windows except HijackThis and click Fix Checked.
  5. Restart


NEXT:

Are you currently using any AV software?

In your next reply, please include the following:
  • TDSSKiller.txt
  • RSIT Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2010 - 07:37 PM

Thank again for yet another helpful reply. Yes, I am using ESET NOD32 AV now. I did install it after this issue, I was using Mcafee when the issue occored.




20:21:00:359 2916 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
20:21:00:359 2916 ================================================================================
20:21:00:359 2916 SystemInfo:

20:21:00:359 2916 OS Version: 5.1.2600 ServicePack: 3.0
20:21:00:359 2916 Product type: Workstation
20:21:00:359 2916 ComputerName: RHAWN02
20:21:00:359 2916 UserName: Rhawn
20:21:00:359 2916 Windows directory: C:\WINDOWS
20:21:00:359 2916 Processor architecture: Intel x86
20:21:00:359 2916 Number of processors: 2
20:21:00:359 2916 Page size: 0x1000
20:21:00:359 2916 Boot type: Normal boot
20:21:00:359 2916 ================================================================================
20:21:00:359 2916 UnloadDriverW: NtUnloadDriver error 1
20:21:00:359 2916 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
20:21:00:500 2916 LoadDriverW: Driver already loaded
20:21:00:500 2916 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
20:21:00:500 2916 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:21:00:500 2916 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:00:500 2916 wfopen_ex: Trying to KLMD file open
20:21:00:500 2916 wfopen_ex: File opened ok (Flags 2)
20:21:00:500 2916 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:21:00:500 2916 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:00:500 2916 wfopen_ex: Trying to KLMD file open
20:21:00:500 2916 wfopen_ex: File opened ok (Flags 2)
20:21:00:500 2916 Initialize success
20:21:00:500 2916
20:21:00:500 2916 Scanning Services ...
20:21:00:687 2916 GetAdvancedServicesInfo: Raw services enum returned 331 services
20:21:00:687 2916
20:21:00:687 2916 Scanning Kernel memory ...
20:21:00:687 2916 Devices to scan: 5
20:21:00:687 2916
20:21:00:687 2916 Driver Name: Disk
20:21:00:687 2916 IRP_MJ_CREATE : B80EEBB0
20:21:00:687 2916 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:00:687 2916 IRP_MJ_CLOSE : B80EEBB0
20:21:00:687 2916 IRP_MJ_READ : B80E8D1F
20:21:00:687 2916 IRP_MJ_WRITE : B80E8D1F
20:21:00:687 2916 IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_EA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_EA : 804F4562
20:21:00:687 2916 IRP_MJ_FLUSH_BUFFERS : B80E92E2
20:21:00:687 2916 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_DEVICE_CONTROL : B80E93BB
20:21:00:687 2916 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECF28
20:21:00:687 2916 IRP_MJ_SHUTDOWN : B80E92E2
20:21:00:687 2916 IRP_MJ_LOCK_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_CLEANUP : 804F4562
20:21:00:687 2916 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_SET_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_POWER : B80EAC82
20:21:00:687 2916 IRP_MJ_SYSTEM_CONTROL : B80EF99E
20:21:00:687 2916 IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_QUOTA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_QUOTA : 804F4562
20:21:00:687 2916 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:00:687 2916
20:21:00:687 2916 Driver Name: Disk
20:21:00:687 2916 IRP_MJ_CREATE : B80EEBB0
20:21:00:687 2916 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:00:687 2916 IRP_MJ_CLOSE : B80EEBB0
20:21:00:687 2916 IRP_MJ_READ : B80E8D1F
20:21:00:687 2916 IRP_MJ_WRITE : B80E8D1F
20:21:00:687 2916 IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_EA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_EA : 804F4562
20:21:00:687 2916 IRP_MJ_FLUSH_BUFFERS : B80E92E2
20:21:00:687 2916 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_DEVICE_CONTROL : B80E93BB
20:21:00:687 2916 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECF28
20:21:00:687 2916 IRP_MJ_SHUTDOWN : B80E92E2
20:21:00:687 2916 IRP_MJ_LOCK_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_CLEANUP : 804F4562
20:21:00:687 2916 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_SET_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_POWER : B80EAC82
20:21:00:687 2916 IRP_MJ_SYSTEM_CONTROL : B80EF99E
20:21:00:687 2916 IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_QUOTA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_QUOTA : 804F4562
20:21:00:687 2916 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:00:687 2916
20:21:00:687 2916 Driver Name: Disk
20:21:00:687 2916 IRP_MJ_CREATE : B80EEBB0
20:21:00:687 2916 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:00:687 2916 IRP_MJ_CLOSE : B80EEBB0
20:21:00:687 2916 IRP_MJ_READ : B80E8D1F
20:21:00:687 2916 IRP_MJ_WRITE : B80E8D1F
20:21:00:687 2916 IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_EA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_EA : 804F4562
20:21:00:687 2916 IRP_MJ_FLUSH_BUFFERS : B80E92E2
20:21:00:687 2916 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_DEVICE_CONTROL : B80E93BB
20:21:00:687 2916 IRP_MJ_INTERNAL_DEVICE_CONTROL : B80ECF28
20:21:00:687 2916 IRP_MJ_SHUTDOWN : B80E92E2
20:21:00:687 2916 IRP_MJ_LOCK_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_CLEANUP : 804F4562
20:21:00:687 2916 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_SET_SECURITY : 804F4562
20:21:00:687 2916 IRP_MJ_POWER : B80EAC82
20:21:00:687 2916 IRP_MJ_SYSTEM_CONTROL : B80EF99E
20:21:00:687 2916 IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_QUOTA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_QUOTA : 804F4562
20:21:00:687 2916 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:00:687 2916
20:21:00:687 2916 Driver Name: atapi
20:21:00:687 2916 IRP_MJ_CREATE : B7F156F2
20:21:00:687 2916 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:00:687 2916 IRP_MJ_CLOSE : B7F156F2
20:21:00:687 2916 IRP_MJ_READ : 804F4562
20:21:00:687 2916 IRP_MJ_WRITE : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_EA : 804F4562
20:21:00:687 2916 IRP_MJ_SET_EA : 804F4562
20:21:00:687 2916 IRP_MJ_FLUSH_BUFFERS : 804F4562
20:21:00:687 2916 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:00:687 2916 IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_DEVICE_CONTROL : B7F15712
20:21:00:687 2916 IRP_MJ_INTERNAL_DEVICE_CONTROL : B7F11852
20:21:00:687 2916 IRP_MJ_SHUTDOWN : 804F4562
20:21:00:687 2916 IRP_MJ_LOCK_CONTROL : 804F4562
20:21:00:687 2916 IRP_MJ_CLEANUP : 804F4562
20:21:00:703 2916 IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:00:703 2916 IRP_MJ_QUERY_SECURITY : 804F4562
20:21:00:703 2916 IRP_MJ_SET_SECURITY : 804F4562
20:21:00:703 2916 IRP_MJ_POWER : B7F1573C
20:21:00:703 2916 IRP_MJ_SYSTEM_CONTROL : B7F1C336
20:21:00:703 2916 IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:00:703 2916 IRP_MJ_QUERY_QUOTA : 804F4562
20:21:00:703 2916 IRP_MJ_SET_QUOTA : 804F4562
20:21:00:703 2916 C:\WINDOWS\system32\drivers\tsk9F.tmp - Verdict: 3
20:21:00:703 2916
20:21:00:703 2916 Driver Name: atapi
20:21:00:703 2916 IRP_MJ_CREATE : 89C34CA1
20:21:00:703 2916 IRP_MJ_CREATE_NAMED_PIPE : 89C34CA1
20:21:00:703 2916 IRP_MJ_CLOSE : 89C34CA1
20:21:00:703 2916 IRP_MJ_READ : 89C34CA1
20:21:00:703 2916 IRP_MJ_WRITE : 89C34CA1
20:21:00:703 2916 IRP_MJ_QUERY_INFORMATION : 89C34CA1
20:21:00:703 2916 IRP_MJ_SET_INFORMATION : 89C34CA1
20:21:00:703 2916 IRP_MJ_QUERY_EA : 89C34CA1
20:21:00:703 2916 IRP_MJ_SET_EA : 89C34CA1
20:21:00:703 2916 IRP_MJ_FLUSH_BUFFERS : 89C34CA1
20:21:00:703 2916 IRP_MJ_QUERY_VOLUME_INFORMATION : 89C34CA1
20:21:00:703 2916 IRP_MJ_SET_VOLUME_INFORMATION : 89C34CA1
20:21:00:703 2916 IRP_MJ_DIRECTORY_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_FILE_SYSTEM_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_DEVICE_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_SHUTDOWN : 89C34CA1
20:21:00:703 2916 IRP_MJ_LOCK_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_CLEANUP : 89C34CA1
20:21:00:703 2916 IRP_MJ_CREATE_MAILSLOT : 89C34CA1
20:21:00:703 2916 IRP_MJ_QUERY_SECURITY : 89C34CA1
20:21:00:703 2916 IRP_MJ_SET_SECURITY : 89C34CA1
20:21:00:703 2916 IRP_MJ_POWER : 89C34CA1
20:21:00:703 2916 IRP_MJ_SYSTEM_CONTROL : 89C34CA1
20:21:00:703 2916 IRP_MJ_DEVICE_CHANGE : 89C34CA1
20:21:00:703 2916 IRP_MJ_QUERY_QUOTA : 89C34CA1
20:21:00:703 2916 IRP_MJ_SET_QUOTA : 89C34CA1
20:21:00:703 2916 Driver "atapi" infected by TDSS rootkit!
20:21:00:703 2916 C:\WINDOWS\system32\drivers\tsk9F.tmp - Verdict: 3
20:21:00:703 2916
20:21:00:703 2916 Completed
20:21:00:703 2916
20:21:00:703 2916 Results:
20:21:00:703 2916 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
20:21:00:703 2916 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:00:703 2916 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:00:703 2916
20:21:00:703 2916 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:21:00:703 2916 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:21:00:703 2916 UnloadDriverW: NtUnloadDriver error 1
20:21:00:703 2916 KLMD_Unload: UnloadDriverW(klmd21) error 1
20:21:00:703 2916 KLMD(ARK) unloaded successfully


Logfile of random's system information tool 1.06 (written by random/random)
Run by Rhawn at 2010-03-18 20:35:00
Microsoft Windows XP Professional Service Pack 3
System drive C: has 24 GB (53%) free of 45 GB
Total RAM: 2046 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:10 PM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
D:\Program Files\Pandora\Pandora.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Program Files\Digsby\lib\digsby-app.exe
D:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rhawn\Desktop\RSIT.exe
C:\Documents and Settings\Rhawn\Desktop\Rhawn.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.3.lnk = D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 9960 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-11 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16 118784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-16 16855552]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
""= []
"amd_dc_opt"=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2008-07-22 77824]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-04-28 570664]
"NBKeyScan"=D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2008-02-18 2221352]
"nwiz"=C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2009-08-12 1657376]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-08-17 13877248]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-08-17 86016]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-05-26 413696]
"BlackBerryAutoUpdate"=C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [2009-11-19 623960]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-09 30192]
"Adobe_ID0EYTHM"=C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [2007-03-20 1884160]
"Acrobat Assistant 8.0"=D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2007-05-10 624248]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-11-16 2054360]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"igndlm.exe"=D:\Program Files\Download Manager\dlm.exe [2009-05-14 1103216]
"PlayNC Launcher"= []
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2008-02-28 1828136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ImageMixer 3 SE Camera Monitor Ver.3.lnk - D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe

C:\Documents and Settings\Rhawn\Start Menu\Programs\Startup
Pandora.lnk - D:\Program Files\Pandora\Pandora.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-16 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe"="C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"D:\Program Files\Ventrilo\Ventrilo.exe"="D:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"D:\Program Files\Steam\Steam.exe"="D:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\Program Files\Electronic Arts\Battlefield Bad Company 2 - BETA\BFBC2BetaUpdater.exe"="D:\Program Files\Electronic Arts\Battlefield Bad Company 2 - BETA\BFBC2BetaUpdater.exe:*:Enabled:Battlefield Bad Company 2 - BETA"
"D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe"="D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer"
"D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe"="D:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2"
"D:\Program Files\Steam\steamapps\common\borderlands\Binaries\Borderlands.exe"="D:\Program Files\Steam\steamapps\common\borderlands\Binaries\Borderlands.exe:*:Enabled:Borderlands"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"D:\Program Files\Digsby\lib\digsby-app.exe"="D:\Program Files\Digsby\lib\digsby-app.exe:*:Disabled:Digsby IM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-03-18 20:20:30 ----A---- C:\TDSSKiller.2.2.8_18.03.2010_20.20.30_log.txt
2010-03-18 11:02:07 ----D---- C:\rsit
2010-03-16 15:26:10 ----A---- C:\WINDOWS\ntbtlog.txt
2010-03-11 12:41:45 ----SHD---- C:\found.000
2010-03-11 04:01:45 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-10 00:33:39 ----D---- C:\Program Files\Sony Online Entertainment
2010-03-09 12:21:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-09 12:21:19 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-09 12:21:18 ----D---- C:\Documents and Settings\Rhawn\Application Data\SUPERAntiSpyware.com
2010-03-06 13:13:38 ----D---- C:\Program Files\TrendMicro
2010-03-04 13:26:12 ----A---- C:\RootRepeal report 03-04-10 (12-26-12).txt
2010-03-04 11:06:21 ----A---- C:\RootRepeal report 03-04-10 (10-06-21).txt
2010-03-03 22:14:00 ----D---- C:\Program Files\ESET
2010-03-03 22:14:00 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2010-03-03 00:14:47 ----D---- C:\Program Files\AVG
2010-02-24 04:00:16 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-20 12:07:26 ----D---- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2010-02-20 12:07:25 ----D---- C:\Documents and Settings\Rhawn\Application Data\AVS4YOU
2010-02-20 12:06:43 ----D---- C:\Program Files\AVS4YOU
2010-02-20 12:06:06 ----D---- C:\Program Files\Common Files\AVSMedia
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msxml3a.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msvcr70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\msvcp70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\mfc70.dll
2010-02-20 12:05:52 ----A---- C:\WINDOWS\system32\GdiPlus.dll

======List of files/folders modified in the last 1 months======

2010-03-18 20:27:27 ----D---- C:\WINDOWS\Temp
2010-03-18 20:26:51 ----D---- C:\WINDOWS\system32\drivers
2010-03-18 20:25:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-18 20:23:06 ----D---- C:\WINDOWS\Prefetch
2010-03-18 20:20:31 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-18 20:18:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-17 08:57:52 ----SHD---- C:\WINDOWS\Installer
2010-03-17 08:57:50 ----D---- C:\Program Files\Mozilla Firefox
2010-03-17 08:57:39 ----HD---- C:\Program Files\InstallShield Installation Information
2010-03-16 21:03:00 ----D---- C:\WINDOWS\system32
2010-03-16 21:03:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-16 15:37:17 ----D---- C:\WINDOWS\SHELLNEW
2010-03-16 15:26:10 ----D---- C:\WINDOWS
2010-03-16 10:33:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-11 12:36:10 ----RSH---- C:\boot.ini
2010-03-11 12:36:10 ----A---- C:\WINDOWS\win.ini
2010-03-11 12:36:10 ----A---- C:\WINDOWS\system.ini
2010-03-11 04:01:48 ----D---- C:\Program Files\Movie Maker
2010-03-11 04:01:35 ----HD---- C:\WINDOWS\inf
2010-03-11 04:01:33 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-11 04:00:24 ----D---- C:\WINDOWS\Debug
2010-03-10 00:33:39 ----RD---- C:\Program Files
2010-03-09 12:21:02 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-05 15:24:11 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-03 21:53:25 ----SD---- C:\Documents and Settings\Rhawn\Application Data\Microsoft
2010-03-03 00:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2010-03-03 00:09:08 ----D---- C:\Program Files\Common Files
2010-03-03 00:04:16 ----SD---- C:\WINDOWS\Tasks
2010-03-02 15:28:59 ----D---- C:\Documents and Settings
2010-03-02 08:59:17 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-02 08:52:48 ----D---- C:\Program Files\SpywareBlaster
2010-03-02 01:30:12 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-25 21:23:22 ----D---- C:\Documents and Settings\Rhawn\Application Data\Adobe
2010-02-25 12:28:49 ----D---- C:\Documents and Settings\Rhawn\Application Data\Sony Online Entertainment
2010-02-21 20:04:55 ----D---- C:\WINDOWS\system32\Restore
2010-02-21 13:58:00 ----D---- C:\Documents and Settings\Rhawn\Application Data\ZoomBrowser EX
2010-02-20 12:06:12 ----RSD---- C:\WINDOWS\Fonts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 BIOS;BIOS; \??\C:\WINDOWS\system32\drivers\BIOS.sys []
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 cpuz132;cpuz132; \??\C:\WINDOWS\system32\drivers\cpuz132_x32.sys []
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-08-17 7729568]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S2 LMIInfo;LogMeIn Kernel Information Provider; \??\D:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 rootrepeal;rootrepeal; \??\C:\WINDOWS\system32\drivers\rootrepeal.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2007-01-31 96370]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-13 20543]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2008-02-18 877864]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-11-27 135221]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-11-27 65593]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-08-17 168004]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-01 654848]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2008-02-28 529704]
S3 Adobe Version Cue CS3;Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [2007-03-20 153792]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-04-09 30192]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-08-30 3407412]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 18 March 2010 - 08:35 PM

Hello, Rhawn.
No problem smile.gif


We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 18 March 2010 - 09:08 PM

I forgot to answer a question, I am not seeing any issue currently. Thanks.

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 18 March 2010 - 10:07 PM

Hi!

Okay. Please proceed with combofix. We still have a little to clean up smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 Rhawn

Rhawn
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 19 March 2010 - 11:37 AM

Thank you sir. Here are the logs.

ComboFix 10-03-18.02 - Rhawn 03/19/2010 12:21:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1504 [GMT -4:00]
Running from: c:\documents and settings\Rhawn\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver

.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-18 15:02 . 2010-03-18 15:02 -------- d-----w- C:\rsit
2010-03-16 19:19 . 2010-03-16 19:19 0 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2010-03-16 16:57 . 2010-03-16 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ytmjun
2010-03-14 00:54 . 2010-03-14 00:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-11 16:41 . 2010-03-11 16:41 -------- d-----w- C:\found.000
2010-03-11 13:55 . 2010-03-11 14:23 -------- d-----w- c:\documents and settings\Rhawn\DoctorWeb
2010-03-10 04:33 . 2010-03-17 12:57 -------- d-----w- c:\program files\Sony Online Entertainment
2010-03-09 16:21 . 2010-03-09 16:21 52224 ----a-w- c:\documents and settings\Rhawn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-09 16:21 . 2010-03-09 16:21 117760 ----a-w- c:\documents and settings\Rhawn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-09 16:21 . 2010-03-09 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-09 16:21 . 2010-03-16 19:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-09 16:21 . 2010-03-09 16:21 -------- d-----w- c:\documents and settings\Rhawn\Application Data\SUPERAntiSpyware.com
2010-03-06 17:13 . 2010-03-06 17:13 388096 ----a-r- c:\documents and settings\Rhawn\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-06 17:13 . 2010-03-06 17:13 -------- d-----w- c:\program files\TrendMicro
2010-03-05 16:49 . 2010-03-05 16:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-03-04 02:14 . 2010-03-04 02:14 -------- d-----w- c:\program files\ESET
2010-03-04 02:14 . 2010-03-04 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-03-03 17:39 . 2010-03-03 23:20 0 ----a-w- c:\documents and settings\Rhawn\Local Settings\Application Data\prvlcl.dat
2010-03-03 05:36 . 2010-03-03 05:36 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-03 05:36 . 2010-03-12 15:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 04:14 . 2010-03-03 04:14 -------- d-----w- c:\program files\AVG
2010-03-03 01:02 . 2010-03-16 16:56 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-02 19:29 . 2010-03-02 19:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-02 19:29 . 2009-09-11 02:22 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-20 16:07 . 2010-02-20 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-02-20 16:07 . 2010-02-21 21:48 -------- d-----w- c:\documents and settings\Rhawn\Application Data\AVS4YOU
2010-02-20 16:06 . 2010-02-20 16:06 -------- d-----w- c:\program files\AVS4YOU
2010-02-20 16:06 . 2010-02-20 16:06 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-20 16:05 . 2008-07-17 21:25 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-02-20 16:05 . 2007-12-29 14:42 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-02-20 16:05 . 2007-12-29 14:42 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-02-20 16:05 . 2007-12-29 14:42 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-02-20 16:05 . 2007-12-29 14:42 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-18 23:52 . 2010-02-18 23:52 48816 ----a-w- c:\documents and settings\Rhawn\Application Data\GameRanger\GameRanger\Data\GameRangerLaunch.dll
2010-02-18 23:52 . 2010-02-18 23:52 155312 ----a-w- c:\documents and settings\Rhawn\Application Data\GameRanger\GameRanger\Data\GameRanger.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 00:56 . 2010-02-06 03:57 -------- d-----w- c:\documents and settings\Rhawn\Application Data\Sony Online Entertainment
2010-03-19 00:56 . 2010-02-06 03:57 241977 ----a-w- c:\documents and settings\Rhawn\Application Data\Sony Online Entertainment\npsoeact.dll
2010-03-19 00:26 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-19 00:18 . 2009-12-01 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-18 01:46 . 2009-12-21 17:22 256 ----a-w- c:\windows\system32\pool.bin
2010-03-17 12:57 . 2009-03-23 20:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-09 16:21 . 2009-03-24 01:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-03 04:09 . 2009-03-23 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-02 12:59 . 2009-05-04 17:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 12:52 . 2010-01-23 01:59 -------- d-----w- c:\program files\SpywareBlaster
2010-02-21 17:58 . 2009-06-12 23:52 -------- d-----w- c:\documents and settings\Rhawn\Application Data\ZoomBrowser EX
2010-02-20 16:07 . 2009-12-02 01:12 32512 ----a-w- c:\documents and settings\Rhawn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 10:28 . 2010-01-25 15:25 1216176 ----a-w- c:\documents and settings\Rhawn\Application Data\GameRanger\GameRanger\GameRanger.exe
2010-02-13 02:10 . 2009-06-03 03:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 16:53 . 2009-07-16 00:19 -------- d-----w- c:\documents and settings\Rhawn\Application Data\Skype
2010-02-12 16:30 . 2009-07-16 00:30 -------- d-----w- c:\documents and settings\Rhawn\Application Data\skypePM
2010-02-05 19:01 . 2010-02-05 19:01 -------- d-----w- c:\program files\DIFX
2010-02-05 17:39 . 2010-02-05 17:38 -------- d-----w- c:\documents and settings\Rhawn\Application Data\GameRanger
2010-01-29 03:10 . 2010-01-29 03:10 138056 ----a-w- c:\documents and settings\Rhawn\Application Data\PnkBstrK.sys
2010-01-29 03:10 . 2010-01-29 03:10 138056 ----a-w- c:\documents and settings\Rhawn\Application Data\PnkBstrK.sys
2010-01-29 03:09 . 2009-03-27 15:34 -------- d-----w- c:\documents and settings\Rhawn\Application Data\IGN_DLM
2010-01-28 19:55 . 2009-03-28 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-27 17:29 . 2010-01-27 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-27 02:41 . 2010-01-27 02:41 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 02:34 . 2010-01-27 02:34 503808 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7eb0059c-n\msvcp71.dll
2010-01-27 02:34 . 2010-01-27 02:34 499712 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7eb0059c-n\jmc.dll
2010-01-27 02:34 . 2010-01-27 02:34 348160 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7eb0059c-n\msvcr71.dll
2010-01-27 02:34 . 2010-01-27 02:34 61440 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4884edc9-n\decora-sse.dll
2010-01-27 02:34 . 2010-01-27 02:34 12800 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4884edc9-n\decora-d3d.dll
2010-01-27 02:34 . 2009-12-20 16:37 -------- d-----w- c:\program files\Java
2010-01-26 17:29 . 2010-01-26 17:29 -------- d-----w- c:\program files\SEO Munchies
2010-01-25 19:32 . 2010-01-29 03:50 114360 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2010-01-23 00:46 . 2009-12-13 16:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 18:45 . 2010-01-19 18:45 126888 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-07 21:07 . 2009-12-13 16:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-13 16:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 20:57 . 2010-01-27 14:57 545280 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-05 20:57 . 2010-01-27 14:57 344064 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-05 20:57 . 2010-01-27 14:57 153600 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-05 20:57 . 2010-01-27 14:57 103424 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-05 20:57 . 2010-01-27 14:57 57856 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-05 20:57 . 2010-01-27 14:57 4725760 ----a-w- c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-20 16:37 . 2009-12-20 16:37 152576 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-20 16:37 . 2009-12-20 16:37 79488 ----a-w- c:\documents and settings\Rhawn\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-04-10 02:38 . 2009-04-10 02:38 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="d:\program files\Download Manager\dlm.exe" [2009-05-14 1103216]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="d:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-10 30192]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Rhawn\Start Menu\Programs\Startup\
Pandora.lnk - d:\program files\Pandora\Pandora.exe [2009-9-10 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor Ver.3.lnk - d:\program files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe [2009-6-27 253952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Digsby\\lib\\digsby-app.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [3/23/2009 4:34 PM 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/16/2009 10:06 AM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 10:04 AM 735960]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\LogMeIn\x86\RaInfo.sys --> d:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/9/2009 10:38 PM 30192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Rhawn\Application Data\Mozilla\Firefox\Profiles\rj1fih81.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Sony Online Entertainment\npsoe.dll
FF - plugin: d:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-PlayNC Launcher - (no file)
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 12:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1460)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-19 12:26:38
ComboFix-quarantined-files.txt 2010-03-19 16:26

Pre-Run: 24,938,803,200 bytes free
Post-Run: 27,088,093,184 bytes free

- - End Of File - - E17F90F07AF8BF833DBAA894C461DE99


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:56 PM, on 3/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rhawn\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Pandora.lnk = D:\Program Files\Pandora\Pandora.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor Ver.3.lnk = D:\Program Files\PIXELA\ImageMixer 3 SE Ver.3\CameraMonitor.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 9486 bytes



#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 19 March 2010 - 11:54 AM

Hello, Rhawn.
We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

NEXT:

Please generate a fresh GMER log

In your next reply, please include the following:
  • ActiveScan Report
  • GMER log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:43 PM

Posted 21 March 2010 - 11:29 PM

Hello Rhawn
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users