Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Ping.exe virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 whitecocoa

whitecocoa

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 December 2011 - 03:27 PM

Hey all, I have been infected with a ping.exe virus. It started with a fake Windows XP Security program virus, which i removed, but it left a ping.exe virus. I read the sticky on how to prepare logs, and i have a GMER log, but when i try and run DDS all that happens is notepad pops up filled with gibberish. No black screen.

BC AdBot (Login to Remove)

 


#2 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 December 2011 - 05:42 PM

Well I used an alternative logger, RSIT. Heres what I got:

Info.log:

info.txt logfile of random's system information tool 1.09 2011-12-22 14:39:04

======Uninstall list======

-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->MsiExec /X{54194F60-988C-4D03-B922-C2B00EFDA39A}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
32 Bit HP CIO Components Installer-->MsiExec.exe /I{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}
7-Zip 9.20-->"C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Acrobat.com-->msiexec /qb /x {F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Acrobat.com-->MsiExec.exe /I{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10q_ActiveX.exe -maintain activex
Adobe Flash Player 11 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_Plugin.exe -maintain plugin
Adobe Reader 9.4.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A94000000001}
AMD APP SDK Runtime-->MsiExec.exe /I{A25FF1C0-80B6-4B8B-A551-DC525697A408}
Apple Application Support-->MsiExec.exe /I{EE6097DD-05F4-4178-9719-D3170BF098E8}
Apple Mobile Device Support-->MsiExec.exe /I{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
ATI AVIVO Codecs-->MsiExec.exe /I{308198A5-C350-DD39-4C5F-D5A28C004091}
Belarc Advisor 8.2-->"C:\PROGRA~1\Belarc\Advisor\Uninstall.exe" "C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG"
Belkin F7D1101 Basic Wireless USB Adapter-->"C:\Program Files\InstallShield Installation Information\{AFD89880-C544-4777-B645-FBF6D3391B11}\setup.exe" -runfromtemp -l0x0409 -removeonly
Belkin F7D1101 Basic Wireless USB Adapter-->MsiExec.exe /X{AFD89880-C544-4777-B645-FBF6D3391B11}
BitTorrent-->"C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
Bonjour-->MsiExec.exe /X{2A981294-F14C-4F0F-9627-D793270922F8}
Canon i250-->C:\WINDOWS\system32\CNMCP50.exe "-PRINTERNAMECanon i250" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon i250 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon PIXMA iP1500-->C:\WINDOWS\system32\CNMCP5y.exe "-PRINTERNAMECanon PIXMA iP1500" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmi0409.dll"
Catalyst Control Center - Branding-->MsiExec.exe /I{19A492A0-888F-44A0-9B21-D91700763F62}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Cisco Connect-->"C:\Program Files\Cisco Systems\Cisco Connect\Cisco Connect.exe" -uninstall
CopyTrans Suite Remove Only-->C:\Program Files\WindSolutions\CopyTrans Suite\CopyTransControlCenter.exe uninstall
DivX Setup-->C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe /uninstall
DriverAgent by eSupport.com-->RunDll32.exe advpack.dll,LaunchINFSection driveragent_exe.inf,TVICHW32Remove
DVD Decoder Pak for Windows XP-->MsiExec.exe /X{92C5DB3D-9D6F-4324-BB11-57825F4C2635}
Google Earth-->MsiExec.exe /X{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}
Google Talk Plugin-->MsiExec.exe /I{5CF6EEE9-86B1-3DB6-A07C-8F6C079C39BA}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB2570791)-->"C:\WINDOWS\$NtUninstallKB2570791$\spuninst\spuninst.exe"
HP Photosmart C4600 All-In-One Driver 14.0 Rel. 5-->C:\Program Files\HP\Digital Imaging\{1E1746EF-F5BF-4677-8F30-04FE399130DA}\setup\hpzscr01.exe -datfile hposcr36.dat -onestop -forcereboot
HP USB Disk Storage Format Tool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}\Setup.exe" -l0x9 anything
Image Converter .EXE 2.0.0.82-->"C:\Program Files\Image Converter .EXE\unins000.exe"
Intel® PRO Network Connections Drivers-->Prounstl.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes-->MsiExec.exe /I{AAD47011-8518-4608-9656-951DA35B587B}
Java™ 6 Update 24-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}
Linksys Wireless Network Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{327C4E4D-7DB9-44F8-85F1-833C03E9E51A}\Setup.exe" -l0x9 -removeonly
Malwarebytes' Anti-Malware version 1.51.2.1300-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{F2508213-9989-4E85-A078-72BE483917EF}
Microsoft Games for Windows Marketplace-->MsiExec.exe /X{4CB0307C-565E-4441-86BE-0DF2E4FB828C}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570-->MsiExec.exe /X{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219-->MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
Mozilla Firefox 8.0 (x86 en-US)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6 Service Pack 2 (KB973686)-->MsiExec.exe /I{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}
NVIDIA PhysX-->MsiExec.exe /X{54194F60-988C-4D03-B922-C2B00EFDA39A}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenAL-->"C:\Program Files\OpenAL\oalinst.exe" /U
Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe
Pandora-->msiexec /qb /x {E3E3C2C5-B78F-560D-01C0-A9F11945D17B}
Pandora-->MsiExec.exe /I{E3E3C2C5-B78F-560D-01C0-A9F11945D17B}
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
QuickSFV (Remove only)-->C:\Program Files\QuickSFV\QSFVUNST.EXE C:\Program Files\QuickSFV\
QuickTime-->MsiExec.exe /I{57752979-A1C9-4C02-856B-FBB27AC4E02C}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
Red Faction Guerrilla-->MsiExec.exe /I{A357EF4C-2B6F-4980-ACA9-B1E42A74D7F3}
RegCure-->C:\Program Files\RegCure\uninst.exe
Safari-->MsiExec.exe /I{AFAC914D-9E83-4A89-8ABE-427521C82CCF}
Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Security Update for 2007 Microsoft Office System (KB2288931)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CD769337-C8AC-46DB-A7DC-643E50089263}
Security Update for 2007 Microsoft Office System (KB2345043)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Security Update for 2007 Microsoft Office System (KB2553074)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5729F1AE-5895-468F-9165-BAD161C9E982}
Security Update for 2007 Microsoft Office System (KB2553089)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {01D4CA59-7070-4420-9BCC-0EFA7C5D76BE}
Security Update for 2007 Microsoft Office System (KB2553090)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {643C12A2-AF9A-4712-B8BE-3B7650AFE00A}
Security Update for 2007 Microsoft Office System (KB2584063)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BF3F1CBD-B05C-4644-AE43-6EE0FCC227A4}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5A4E43D5-858F-49BD-BA72-8F30E1793060}
Security Update for Microsoft Office Excel 2007 (KB2553073)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {65EA4836-B5A3-4C1D-8883-0C35E471003A}
Security Update for Microsoft Office Groove 2007 (KB2552997)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3A1CBF7D-4704-40BC-B31C-AA761884A3E4}
Security Update for Microsoft Office InfoPath 2007 (KB2510061)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5D930261-AA5B-48D1-931F-425C9D767490}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8588DD11-6BD7-4400-B55C-DD5AB74B43E1}
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {D75E6D0C-BADF-4F41-98B2-0C0F02C15062}
Security Update for Microsoft Office Publisher 2007 (KB2284697)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3A4CDE54-2403-483D-8D9A-15E3264410DF}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB2344993)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Security Update for Microsoft Windows (KB2564958)-->"C:\WINDOWS\$NtUninstallKB2564958$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2360131)-->"C:\WINDOWS\ie8updates\KB2360131-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2416400)-->"C:\WINDOWS\ie8updates\KB2416400-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2482017)-->"C:\WINDOWS\ie8updates\KB2482017-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2497640)-->"C:\WINDOWS\ie8updates\KB2497640-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2510531)-->"C:\WINDOWS\ie8updates\KB2510531-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2530548)-->"C:\WINDOWS\ie8updates\KB2530548-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2544521)-->"C:\WINDOWS\ie8updates\KB2544521-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2559049)-->"C:\WINDOWS\ie8updates\KB2559049-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2586448)-->"C:\WINDOWS\ie8updates\KB2586448-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB2507938)-->"C:\WINDOWS\$NtUninstallKB2507938$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2536276-v2)-->"C:\WINDOWS\$NtUninstallKB2536276-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2544893-v2)-->"C:\WINDOWS\$NtUninstallKB2544893-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2555917)-->"C:\WINDOWS\$NtUninstallKB2555917$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2562937)-->"C:\WINDOWS\$NtUninstallKB2562937$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2566454)-->"C:\WINDOWS\$NtUninstallKB2566454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2567053)-->"C:\WINDOWS\$NtUninstallKB2567053$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2567680)-->"C:\WINDOWS\$NtUninstallKB2567680$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2570222)-->"C:\WINDOWS\$NtUninstallKB2570222$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2570947)-->"C:\WINDOWS\$NtUninstallKB2570947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2592799)-->"C:\WINDOWS\$NtUninstallKB2592799$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Solid YouTube Downloader and Converter FileBulldog Toolbar-->C:\Program Files\Solid YouTube Downloader and Converter FileBulldog Toolbar\UninstallToolbar.exe
Source SDK Base 2006-->"C:\Program Files\Steam\steam.exe" steam://uninstall/215
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab CYRI-->MsiExec.exe /I{1F77C418-2C90-459C-BD33-B56A4182B9FA}
The Elder Scrolls IV: Oblivion -->"C:\Program Files\Steam\steam.exe" steam://uninstall/22330
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 System (KB2539530)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B4CEEAE-AA88-490C-BCB2-AAC3421981A4}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office Outlook 2007 (KB2583910)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BDC21583-5601-4B2B-88F3-7919F6DE8FB1}
Update for Outlook 2007 Junk Email Filter (KB2596560)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {2964DDE1-4925-4DF1-AF2C-0A36B3442228}
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB2607712)-->"C:\WINDOWS\$NtUninstallKB2607712$\spuninst\spuninst.exe"
Update for Windows XP (KB2616676)-->"C:\WINDOWS\$NtUninstallKB2616676$\spuninst\spuninst.exe"
Update for Windows XP (KB2641690)-->"C:\WINDOWS\$NtUninstallKB2641690$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.6195-->MsiExec.exe /I{933B4015-4618-4716-A828-5289FC03165F}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
VoiceOver Kit-->MsiExec.exe /I{FB26A501-6BA6-459B-89AA-9736730752FB}
WeGame Client 2.4.3.0-->"C:\Program Files\WeGame\unins000.exe"
Windows Essentials Media Codec Pack 3.6 [32-Bit]-->C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xvid 1.2.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Zune Desktop Theme-->MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}

Hosts File Missing
======Security center information======

AV: Lavasoft Ad-Watch Live! Anti-Virus

======System event log======

Computer Name: WARHAMME-B756C0
Event Code: 7023
Message: The Network Location Awareness (NLA) service terminated with the following error:
The specified procedure could not be found.


Record Number: 30594
Source Name: Service Control Manager
Time Written: 20111215193506.000000-480
Event Type: error
User:

Computer Name: WARHAMME-B756C0
Event Code: 7023
Message: The Network Location Awareness (NLA) service terminated with the following error:
The specified procedure could not be found.


Record Number: 30591
Source Name: Service Control Manager
Time Written: 20111215193505.000000-480
Event Type: error
User:

Computer Name: WARHAMME-B756C0
Event Code: 1
Message: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

Record Number: 30574
Source Name: sr
Time Written: 20111215193448.000000-480
Event Type: error
User:

Computer Name: WARHAMME-B756C0
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 30559
Source Name: Tcpip
Time Written: 20111215172315.000000-480
Event Type: warning
User:

Computer Name: WARHAMME-B756C0
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 30549
Source Name: Tcpip
Time Written: 20111215153115.000000-480
Event Type: warning
User:

=====Application event log=====

Computer Name: WARHAMME-B756C0
Event Code: 2
Message: Title Fallout3.exe (1.7.0.3)
XLive 3.4.0018.0 (WGX_XLIVE_V3.04_RTM.101014-0105) C:\WINDOWS\system32\xlive.dll


0x80151103

XLive Logon Failed

00:71:79:E3:76:59
192.168.15.121
0xfb00000000a2ff81
LogonHR == 0x80150002
Games for Windows - LIVE DLL

Record Number: 2915
Source Name: XLive
Time Written: 20110608112118.000000-420
Event Type: warning
User:

Computer Name: WARHAMME-B756C0
Event Code: 2
Message: Title Fallout3.exe (1.7.0.3)
XLive 3.4.0018.0 (WGX_XLIVE_V3.04_RTM.101014-0105) C:\WINDOWS\system32\xlive.dll


0x80070057

LiveId Logon Failed

00:71:79:E3:76:59
192.168.15.121
0xfb00000000a2ff81
LogonHR == 0x80150002
Games for Windows - LIVE DLL

Record Number: 2914
Source Name: XLive
Time Written: 20110608112118.000000-420
Event Type: warning
User:

Computer Name: WARHAMME-B756C0
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 2913
Source Name: Application Hang
Time Written: 20110608105253.000000-420
Event Type: error
User:

Computer Name: WARHAMME-B756C0
Event Code: 1000
Message: Faulting application falloutnv.exe, version 1.3.0.452, faulting module falloutnv.exe, version 1.3.0.452, fault address 0x0065e5e3.

Record Number: 2896
Source Name: Application Error
Time Written: 20110607163054.000000-420
Event Type: error
User:

Computer Name: WARHAMME-B756C0
Event Code: 1000
Message: Faulting application falloutnv.exe, version 1.3.0.452, faulting module falloutnv.exe, version 1.3.0.452, fault address 0x0065e9c4.

Record Number: 2895
Source Name: Application Error
Time Written: 20110607155813.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\AMD APP\bin\x86;C:\Program Files\NVIDIA Corporation\PhysX\Common;%CommonProgramFiles%\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0407
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"AMDAPPSDKROOT"=C:\Program Files\AMD APP\

-----------------EOF-----------------







log:

Logfile of random's system information tool 1.09 (written by random/random)
Run by White Cocoa at 2011-12-22 14:38:28
Microsoft Windows XP Professional Service Pack 3
System drive C: has 15 GB (28%) free of 55 GB
Total RAM: 3070 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:39:01 PM, on 12/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WUSBF54G\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WeGame\WGClientService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Essentials Codec Pack\WECPUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\White Cocoa\Desktop\RSIT.exe
C:\Program Files\trend micro\White Cocoa.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Somoto Toolbar - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Somoto Toolbar - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NICSer_WUSBF54G - Unknown owner - C:\Program Files\Linksys\WUSBF54G\NICServ.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: WeGame Client Service (WeGameClientService) - WeGame.com, Inc. - C:\Program Files\WeGame\WGClientService.exe

--
End of file - 8192 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003UA.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-362288127-839522115-1003.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-362288127-839522115-1003.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\Windows Codec Update Service.job

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default

prefs.js - "browser.startup.homepage" - "http://www.rawstory.com/"
prefs.js - "keyword.URL" - "http://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111127&q="

"{20a82645-c095-46ed-80e3-08825760534b}"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"jqs@sun.com"=C:\Program Files\Java\jre6\lib\deploy\jqs\ff
"{23fcfd51-4958-4f00-80a3-ae97e717ed8b}"=C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=]
"Description"=iTunes Detector Plug-in
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=1.0]
"Description"=
"Path"=C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0]
"Description"=DivX Plus Web Player
"Path"=C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0]
"Description"=DivX VOD Helper Plug-in
"Path"=C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Google.com/GoogleEarthPlugin]
"Description"=Google Earth in your browser
"Path"=C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin]
"Description"=Oracle® Next Generation Java™ Plug-In
"Path"=C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@nexon.net/NxGame]
"Description"=Nexon Game Controller
"Path"=C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@pandonetworks.com/PandoWebPlugin]
"Description"=This plugin detects and launches Pando Media Booster
"Path"=C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732]
"Description"=RealPlayer™ LiveConnect-Enabled Plug-In
"Path"=C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732]
"Description"=RealJukebox Netscape Plugin
"Path"=C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0]
"Description"=RealPlayer™ HTML5VideoShim Plug-In
"Path"=C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732]
"Description"=6.0.12.732
"Path"=C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=]
"Description"=
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll
nppl3260.xpt
nsIQTScriptablePlugin.xpt
nsJSRealPlayerPlugin.xpt

C:\Program Files\Mozilla Firefox\plugins\
npdeployJava1.dll
NPOFF12.DLL
nppdf32.dll
nppl3260.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
nprjplug.dll
nprpjplug.dll
QuickTimePlugin.class

C:\Program Files\Mozilla Firefox\searchplugins\
amazondotcom.xml
bing.xml.old
eBay.xml
google.xml
twitter.xml
wikipedia.xml
yahoo.xml

C:\Documents and Settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default\extensions\
{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

C:\Documents and Settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default\searchplugins\
bing-zugo.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}]
DivX Plus Web Player HTML5 <video> - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [2011-10-26 194432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{652853ad-5592-4231-88c6-706613a52e61}]
Somoto Toolbar - C:\Program Files\somototoolbar\vmntemplateX.dll [2011-07-21 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-02-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-02-09 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{652853ad-5592-4231-88c6-706613a52e61} - Somoto Toolbar - C:\Program Files\somototoolbar\vmntemplateX.dll [2011-07-21 81920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"=C:\WINDOWS\sttray.exe [2007-09-05 405504]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2010-11-29 421888]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-06-23 202256]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2011-10-12 98304]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2011-08-31 449608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"BitTorrent"=C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe [2011-03-31 400760]
"Google Update"=C:\Documents and Settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-19 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2011-10-12 188416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Steam\Steam.exe"="C:\Program Files\Steam\Steam.exe:*:Enabled:Steam"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe"="C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Documents and Settings\White Cocoa\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\White Cocoa\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe"="C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth"
"C:\Program Files\Google\Google Earth\client\googleearth.exe"="C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\BitTorrent\BitTorrent.exe"="C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Documents and Settings\White Cocoa\My Documents\Downloads\Star Trek Downloader ST.15.20110626a.13.exe"="C:\Documents and Settings\White Cocoa\My Documents\Downloads\Star Trek Downloader ST.15.20110626a.13.exe:*:Enabled:Star Trek Downloader ST.15.20110626a.13"
"C:\Program Files\Cryptic Studios\Star Trek Online\Live\GameClient.exe"="C:\Program Files\Cryptic Studios\Star Trek Online\Live\GameClient.exe:*:Enabled:GameClient"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe"="C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Steam\steamapps\common\oblivion\OblivionLauncher.exe"="C:\Program Files\Steam\steamapps\common\oblivion\OblivionLauncher.exe:*:Enabled:The Elder Scrolls IV: Oblivion "
"C:\Program Files\Steam\steamapps\common\warhammer 40,000 space marine\SpaceMarine.exe"="C:\Program Files\Steam\steamapps\common\warhammer 40,000 space marine\SpaceMarine.exe:*:Enabled:Warhammer 40,000 Space Marine"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Nexon\Combat Arms\CombatArms.exe"="C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\Nexon\Combat Arms\Engine.exe"="C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"vidc.XVID"=xvidvfw.dll
"wave2"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"aux1"=wdmaud.drv
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave3"=wdmaud.drv
"midi3"=wdmaud.drv
"mixer3"=wdmaud.drv
"vidc.DIVX"=DivX.dll
"vidc.yv12"=DivX.dll
"VIDC.FFDS"=ff_vfw.dll
"aux2"=wdmaud.drv
"wave4"=wdmaud.drv
"midi4"=wdmaud.drv
"mixer4"=wdmaud.drv
"aux3"=wdmaud.drv
"wave5"=wdmaud.drv
"midi5"=wdmaud.drv
"mixer5"=wdmaud.drv
"aux4"=wdmaud.drv

======File associations======

.scr - open - C:\WINDOWS\NOTEPAD.EXE "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 month======

2011-12-22 14:38:30 ----D---- C:\Program Files\trend micro
2011-12-22 14:38:28 ----D---- C:\rsit
2011-12-19 21:25:23 ----SHD---- C:\WINDOWS\CSC
2011-12-19 21:25:12 ----A---- C:\WINDOWS\ntbtlog.txt
2011-12-15 14:34:48 ----D---- C:\Documents and Settings\White Cocoa\Application Data\Malwarebytes
2011-12-15 14:34:38 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-12-15 14:34:35 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-12-15 14:34:35 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2011-12-10 22:49:13 ----D---- C:\Documents and Settings\White Cocoa\Application Data\Media Player Classic
2011-12-03 19:38:26 ----D---- C:\Program Files\Realtek
2011-12-03 19:38:18 ----A---- C:\WINDOWS\RtlExUpd.dll
2011-11-30 15:58:13 ----D---- C:\Documents and Settings\White Cocoa\Application Data\vmntemplate
2011-11-27 00:51:34 ----D---- C:\Program Files\Essentials Codec Pack
2011-11-27 00:48:25 ----D---- C:\Documents and Settings\White Cocoa\Application Data\Nullsoft
2011-11-27 00:45:17 ----D---- C:\Documents and Settings\White Cocoa\Application Data\somototoolbar
2011-11-27 00:45:16 ----D---- C:\Program Files\somototoolbar
2011-11-27 00:44:55 ----D---- C:\Program Files\Solid YouTube Downloader and Converter FileBulldog Toolbar
2011-11-27 00:36:05 ----D---- C:\Program Files\VideoLAN
2011-11-26 21:01:23 ----A---- C:\WINDOWS\system32\sticversion.exe
2011-11-26 21:01:23 ----A---- C:\WINDOWS\system32\picn20.dll
2011-11-26 21:01:23 ----A---- C:\WINDOWS\system32\AltST.dll
2011-11-26 21:01:22 ----D---- C:\Program Files\Image Converter .EXE
2011-11-26 21:01:22 ----D---- C:\Program Files\Common Files\SoftTech InterCorp
2011-11-26 21:01:22 ----A---- C:\WINDOWS\system32\ShellExtension.dll
2011-11-26 21:01:22 ----A---- C:\WINDOWS\system32\ImagXpr4.dll
2011-11-26 21:01:22 ----A---- C:\WINDOWS\system32\imagx4.dll
2011-11-26 21:01:22 ----A---- C:\WINDOWS\system32\imagr4.dll

======List of files/folders modified in the last 1 month======

2011-12-22 14:38:33 ----D---- C:\WINDOWS\Prefetch
2011-12-22 14:38:30 ----RD---- C:\Program Files
2011-12-22 14:31:15 ----D---- C:\WINDOWS\Temp
2011-12-22 13:30:53 ----D---- C:\WINDOWS\system32\config
2011-12-22 12:15:24 ----D---- C:\Documents and Settings\White Cocoa\Application Data\BitTorrent
2011-12-22 12:13:31 ----D---- C:\WINDOWS\system32\CatRoot2
2011-12-22 12:02:24 ----D---- C:\WINDOWS\system32\drivers
2011-12-22 11:55:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-12-22 11:53:44 ----D---- C:\WINDOWS\system32
2011-12-21 21:18:11 ----D---- C:\WINDOWS\Minidump
2011-12-21 21:18:11 ----D---- C:\WINDOWS
2011-12-19 21:23:35 ----SD---- C:\WINDOWS\Tasks
2011-12-16 21:00:04 ----D---- C:\Program Files\Steam
2011-12-15 21:22:31 ----AC---- C:\WINDOWS\BlendSettings.ini
2011-12-15 19:33:48 ----HDC---- C:\WINDOWS\$NtUninstallKB978601_0$
2011-12-15 14:02:20 ----D---- C:\Program Files\AVS4YOU
2011-12-15 14:02:14 ----D---- C:\Program Files\Common Files\AVSMedia
2011-12-15 14:01:12 ----D---- C:\WINDOWS\system32\drivers\etc
2011-12-15 08:45:39 ----HD---- C:\WINDOWS\inf
2011-12-15 08:44:29 ----HD---- C:\WINDOWS\$hf_mig$
2011-12-10 22:49:14 ----D---- C:\Documents and Settings\White Cocoa\Application Data\DivX
2011-12-06 00:46:04 ----RSHDC---- C:\WINDOWS\system32\dllcache
2011-12-06 00:45:54 ----D---- C:\WINDOWS\system32\ReinstallBackups
2011-12-03 19:38:26 ----HD---- C:\Program Files\InstallShield Installation Information
2011-12-03 18:49:18 ----D---- C:\Program Files\Google
2011-12-01 23:19:45 ----D---- C:\Program Files\Mount&Blade With Fire and Sword
2011-12-01 20:45:28 ----D---- C:\Program Files\Bethesda Softworks
2011-11-30 22:24:27 ----D---- C:\WINDOWS\system32\DirectX
2011-11-30 22:23:54 ----RSD---- C:\WINDOWS\assembly
2011-11-30 16:19:48 ----SHD---- C:\WINDOWS\Installer
2011-11-30 16:18:32 ----HD---- C:\Config.Msi
2011-11-26 21:01:22 ----D---- C:\Program Files\Common Files
2011-11-25 14:07:59 ----D---- C:\Program Files\Hamster Soft
2011-11-25 14:07:39 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2011-11-25 14:07:25 ----DC---- C:\WINDOWS\system32\DRVSTORE
2011-11-25 14:07:21 ----D---- C:\WINDOWS\Help
2011-11-23 15:08:14 ----D---- C:\Documents and Settings\White Cocoa\Application Data\Mozilla

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 Lbd;Lbd; C:\WINDOWS\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2010-07-12 45648]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2011-08-09 3840]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2010-04-12 59388]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2011-07-11 279712]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2011-07-11 25888]
R3 admjoy;Aureal Game Port Enumerator; C:\WINDOWS\system32\DRIVERS\admjoy.sys [2004-08-03 10880]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2011-10-12 7206400]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdmi.sys [2010-04-08 101904]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft 用于 High Definition Audio 的 UAA 总线驱动程序; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R3 mf;mf; C:\WINDOWS\system32\DRIVERS\mf.sys [2008-04-13 63744]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wdm_au8820;Aureal Vortex 8820 Audio Driver (WDM); C:\WINDOWS\system32\drivers\adm8820.sys [2001-10-05 508032]
R3 ZD1211U(Linksys);Linksys Wireless-G USB Network Adapter Driver(Linksys); C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-08-15 278528]
R3 ZDPSp50;ZDPSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\ZDPSp50.sys [2004-10-25 17664]
S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
S3 DrvAgent32;DrvAgent32; \??\C:\WINDOWS\system32\Drivers\DrvAgent32.sys []
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 GMSIPCI;GMSIPCI; \??\E:\INSTALL\GMSIPCI.SYS []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2009-08-26 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2009-08-26 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2009-08-26 21568]
S3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
S3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%; C:\WINDOWS\system32\DRIVERS\RTL8192su.sys [2010-01-06 594048]
S3 STHDA;IDT High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-09-05 1246456]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2010-12-14 41984]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-12-30 436792]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2011-01-05 37664]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2011-10-12 643072]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-10-07 345376]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-02-02 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 NICSer_WUSBF54G;NICSer_WUSBF54G; C:\Program Files\Linksys\WUSBF54G\NICServ.exe [2005-06-15 529920]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2011-09-09 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2011-09-09 107832]
R2 WeGameClientService;WeGame Client Service; C:\Program Files\WeGame\WGClientService.exe [2011-07-28 18472]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-09-19 136176]
S2 STacSV;Audio Service; C:\WINDOWS\system32\STacSV.exe [2007-09-05 204800]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gupdatem;Google Update Service (gupdatem); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-09-19 136176]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2011-01-25 820008]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------







and GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 23:32:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c HDS722580VLAT20 rev.V32OA6MA
Running: gmer.exe; Driver: C:\DOCUME~1\WHITEC~1\LOCALS~1\Temp\kwpcipow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF74D787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF74D7BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF63D6000, 0x2B330C, 0xE8000020]
.text ipsec.sys AE6D5000 47 Bytes [AE, FF, B5, 04, FF, FF, FF, ...]
.text ipsec.sys AE6D5030 5 Bytes [FF, FF, E8, E5, FC]
.text ipsec.sys AE6D5037 120 Bytes [6A, 40, 57, 53, 68, 54, 3C, ...]
.text ipsec.sys AE6D50B0 68 Bytes [B5, 04, FF, FF, FF, E8, 8E, ...]
.text ipsec.sys AE6D50F5 82 Bytes [00, 69, 00, 6E, 00, 65, 00, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xAB045300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF77FF300, 0x1BCE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0111000A
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0189000A
.text C:\WINDOWS\System32\svchost.exe[456] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FF000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs AA2B2400

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) AE6E7000-AE701000 (106496 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x0B 0x6A 0x96 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x0B 0x6A 0x96 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB48492$\13090219 0 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\cfg.ini 206 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\keywords 159 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\L 0 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\L\oeaugbhe 75264 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U 0 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB48492$\13090219\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB48492$\811505839 0 bytes

---- EOF - GMER 1.0.15 ----

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 27 December 2011 - 02:46 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 27 December 2011 - 03:40 PM

ComboFix ran almost perfectly, after the first scan it detected rootkit activity and initiated the first reboot. i think it stalled, though, it stayed at the screen of my desktop, but without icons. i left it overnight but found no change, so i rebooted it on my own, and ComboFix picked up where it left off.

So far ping.exe hasnt popped up yet, which is new. however my computer still runs slow, and my audio still doesnt work.



ComboFix 11-12-26.03 - White Cocoa 12/27/2011 11:51:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2674 [GMT -8:00]
Running from: c:\documents and settings\White Cocoa\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default\searchplugins\bing-zugo.xml
c:\documents and settings\White Cocoa\WINDOWS
C:\install.exe
c:\program files\Image Converter .EXE
c:\program files\Image Converter .EXE\blank.gif
c:\program files\Image Converter .EXE\compare template.html
c:\program files\Image Converter .EXE\detail template.html
c:\program files\Image Converter .EXE\Help\CommandLines.htm
c:\program files\Image Converter .EXE\Help\pv_registration.mht
c:\program files\Image Converter .EXE\imageconverter.exe
c:\program files\Image Converter .EXE\license.txt
c:\program files\Image Converter .EXE\logfile.txt
c:\program files\Image Converter .EXE\thumbnail template.html
c:\program files\Image Converter .EXE\unins000.dat
c:\program files\Image Converter .EXE\unins000.exe
c:\program files\Image Converter .EXE\Web\Image Converter .EXE Home Page.url
c:\program files\Image Converter .EXE\Web\Order Image Converter .EXE.url
c:\program files\Image Converter .EXE\Web\SoftTech InterCorp.url
c:\program files\somototoolbar\vmNTemplatex.dll
c:\windows\$NtUninstallKB48492$
c:\windows\$NtUninstallKB48492$\13090219\@
c:\windows\$NtUninstallKB48492$\13090219\bckfg.tmp
c:\windows\$NtUninstallKB48492$\13090219\cfg.ini
c:\windows\$NtUninstallKB48492$\13090219\Desktop.ini
c:\windows\$NtUninstallKB48492$\13090219\keywords
c:\windows\$NtUninstallKB48492$\13090219\kwrd.dll
c:\windows\$NtUninstallKB48492$\13090219\L\oeaugbhe
c:\windows\$NtUninstallKB48492$\13090219\lsflt7.ver
c:\windows\$NtUninstallKB48492$\13090219\U\00000001.@
c:\windows\$NtUninstallKB48492$\13090219\U\00000002.@
c:\windows\$NtUninstallKB48492$\13090219\U\00000004.@
c:\windows\$NtUninstallKB48492$\13090219\U\80000000.@
c:\windows\$NtUninstallKB48492$\13090219\U\80000004.@
c:\windows\$NtUninstallKB48492$\13090219\U\80000032.@
c:\windows\$NtUninstallKB48492$\811505839
c:\windows\system32\SET3D3.tmp
c:\windows\system32\SET3D7.tmp
c:\windows\system32\SET3DF.tmp
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 11:06 . 2011-12-27 11:06 -------- d-----w- C:\3f6ac9c4533be0b5e95315515cd6c838
2011-12-27 09:11 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-27 08:56 . 2011-12-27 08:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-22 22:38 . 2011-12-22 22:39 -------- d-----w- c:\program files\trend micro
2011-12-22 22:38 . 2011-12-22 22:39 -------- d-----w- C:\rsit
2011-12-17 18:29 . 2011-12-17 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-17 07:23 . 2011-12-17 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\Malwarebytes
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 22:34 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 06:49 . 2011-12-11 09:18 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\Media Player Classic
2011-12-04 03:38 . 2011-12-04 03:38 -------- d-----w- c:\program files\Realtek
2011-12-04 03:38 . 2011-09-01 03:12 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-12-04 03:38 . 2006-02-07 23:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-12-04 03:38 . 2006-02-07 23:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-12-04 03:38 . 2006-02-07 23:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-12-04 03:38 . 2006-02-07 23:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-12-04 03:38 . 2005-11-14 07:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-12-04 03:38 . 2011-12-04 03:38 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-12-04 03:38 . 2011-12-04 03:38 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-11-30 23:58 . 2011-11-30 23:58 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\vmntemplate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 23:30 . 2011-05-13 18:17 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-02 05:36 . 2011-11-02 05:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-13 00:16 . 2011-10-13 00:16 56832 ----a-w- c:\windows\system32\OpenVideo.dll
2011-10-13 00:15 . 2011-10-13 00:15 13753856 ----a-w- c:\windows\system32\amdocl.dll
2011-10-13 00:14 . 2011-10-13 00:14 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-12 20:53 . 2010-04-29 14:53 7206400 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-10-12 20:50 . 2010-04-29 14:53 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-10-12 20:28 . 2010-04-29 14:53 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-10-12 20:28 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-10-12 20:25 . 2010-04-29 14:53 5828608 ----a-w- c:\windows\system32\aticaldd.dll
2011-10-12 20:15 . 2010-04-29 14:53 18874368 ----a-w- c:\windows\system32\atioglxx.dll
2011-10-12 20:04 . 2010-04-29 14:53 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-10-12 20:01 . 2010-04-29 14:53 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-12 20:00 . 2010-04-29 14:53 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-10-12 19:58 . 2011-01-27 06:35 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-10-12 19:44 . 2010-04-29 14:53 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-10-12 19:42 . 2010-04-29 14:53 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-10-12 19:42 . 2010-04-29 14:53 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-10-12 19:42 . 2010-04-29 14:53 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-10-12 19:42 . 2010-04-29 14:53 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-10-12 19:41 . 2010-04-29 14:53 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-10-12 19:40 . 2010-04-29 14:53 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 19:39 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-10-12 19:37 . 2010-10-13 01:15 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-12 19:33 . 2010-04-29 14:53 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-10-12 19:33 . 2010-04-29 14:53 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-10-12 19:29 . 2010-04-29 14:53 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-12 19:28 . 2010-04-29 14:53 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-10-12 19:23 . 2010-10-13 01:15 65024 ----a-w- c:\windows\system32\atimpc32.dll
2011-10-12 19:23 . 2010-04-29 14:53 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2011-10-12 19:22 . 2010-04-29 14:53 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-10-12 19:19 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-10 14:22 . 2010-04-21 01:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-11 05:45 . 2011-05-18 22:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\documents and settings\White Cocoa\Desktop\BitTorrent.exe" [2011-04-01 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-23 202256]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-12 98304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Google Update"="c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"Steam"="c:\program files\Steam\steam.exe" -silent
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\White Cocoa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\White Cocoa\\Desktop\\BitTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\oblivion\\OblivionLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58434:TCP"= 58434:TCP:Pando Media Booster
"58434:UDP"= 58434:UDP:Pando Media Booster
"57795:TCP"= 57795:TCP:Pando Media Booster
"57795:UDP"= 57795:UDP:Pando Media Booster
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/21/2010 3:27 PM 64288]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/15/2011 2:34 PM 366152]
R2 NICSer_WUSBF54G;NICSer_WUSBF54G;c:\program files\Linksys\WUSBF54G\NICServ.exe [4/21/2010 12:36 AM 529920]
R2 WeGameClientService;WeGame Client Service;c:\program files\WeGame\wgclientservice.exe [9/20/2011 10:48 PM 18472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/15/2011 2:34 PM 22216]
R3 ZD1211U(Linksys);Linksys Wireless-G USB Network Adapter Driver(Linksys);c:\windows\system32\drivers\ZD1211U.sys [4/21/2010 12:36 AM 278528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 6:57 PM 136176]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [11/1/2011 9:36 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 6:57 PM 136176]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 594048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2010 6:53 PM 436792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 18:57]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 18:57]
.
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003Core.job
- c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-19 18:57]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003UA.job
- c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-19 18:57]
.
2011-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-362288127-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-362288127-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-12-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-12-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-12-27 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-07-14 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rawstory.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111127&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
------- File Associations -------
.
.scr=AutoCADScript
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Image Converter .EXE_is1 - c:\program files\Image Converter .EXE\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 12:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-362288127-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4e,a2,22,bf,d8,b7,78,c9,8b,81,0d,96,64,d9,4a,e3,2f,7a,e3,66,fe,00,4e,
f4,7a,cc,d3,86,2c,b2,52,4b,58,53,48,b7,9e,64,7f,ef,e4,d7,83,4f,12,5a,b0,95,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d
.
[HKEY_USERS\S-1-5-21-1292428093-362288127-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e7,a6,e4,d2,a4,fc,a9,21,62,00,64,06,af,5a,f6,bf,32,c0,92,69,24,
16,fc,fd,f7,43,fd,bb,1e,25,57,26,a9,f0,d4,b2,da,02,76,af,65,2b,ca,5f,c9,b5,\
"rkeysecu"=hex:ce,04,1f,0a,48,80,2f,87,03,f9,08,77,0a,9e,29,25
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(216)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2011-12-27 12:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 20:29
.
Pre-Run: 18,817,753,088 bytes free
Post-Run: 19,751,673,856 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 831F98FDD8622DBFED88DFED5B655F91

#5 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 27 December 2011 - 06:05 PM

got the audio working, rebooted the computer and everything checks out. as far as i can tell everything's fixed. thank you, gringo, and bleepingcomputers. you are true gentlemen, and noble scholars.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 28 December 2011 - 01:39 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 29 December 2011 - 04:10 AM

ComboFix 11-12-28.02 - White Cocoa 12/28/2011 2:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2384 [GMT -8:00]
Running from: c:\documents and settings\White Cocoa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\White Cocoa\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-27 11:06 . 2011-12-27 11:06 -------- d-----w- C:\3f6ac9c4533be0b5e95315515cd6c838
2011-12-27 09:11 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-27 08:56 . 2011-12-27 08:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-22 22:38 . 2011-12-22 22:39 -------- d-----w- c:\program files\trend micro
2011-12-22 22:38 . 2011-12-22 22:39 -------- d-----w- C:\rsit
2011-12-17 18:29 . 2011-12-17 18:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-17 07:23 . 2011-12-17 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\Malwarebytes
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-15 22:34 . 2011-12-15 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 22:34 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 06:49 . 2011-12-11 09:18 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\Media Player Classic
2011-12-04 03:38 . 2011-12-04 03:38 -------- d-----w- c:\program files\Realtek
2011-12-04 03:38 . 2011-09-01 03:12 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-12-04 03:38 . 2006-02-07 23:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-12-04 03:38 . 2006-02-07 23:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-12-04 03:38 . 2006-02-07 23:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-12-04 03:38 . 2006-02-07 23:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-12-04 03:38 . 2005-11-14 07:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2011-12-04 03:38 . 2011-12-04 03:38 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-12-04 03:38 . 2011-12-04 03:38 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-11-30 23:58 . 2011-11-30 23:58 -------- d-----w- c:\documents and settings\White Cocoa\Application Data\vmntemplate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 23:30 . 2011-05-13 18:17 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-02 05:36 . 2011-11-02 05:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-13 00:16 . 2011-10-13 00:16 56832 ----a-w- c:\windows\system32\OpenVideo.dll
2011-10-13 00:15 . 2011-10-13 00:15 13753856 ----a-w- c:\windows\system32\amdocl.dll
2011-10-13 00:14 . 2011-10-13 00:14 43520 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-12 20:53 . 2010-04-29 14:53 7206400 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-10-12 20:50 . 2010-04-29 14:53 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-10-12 20:28 . 2010-04-29 14:53 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-10-12 20:28 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-10-12 20:25 . 2010-04-29 14:53 5828608 ----a-w- c:\windows\system32\aticaldd.dll
2011-10-12 20:15 . 2010-04-29 14:53 18874368 ----a-w- c:\windows\system32\atioglxx.dll
2011-10-12 20:04 . 2010-04-29 14:53 3953664 ----a-w- c:\windows\system32\ati3duag.dll
2011-10-12 20:01 . 2010-04-29 14:53 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-10-12 20:00 . 2010-04-29 14:53 304128 ----a-w- c:\windows\system32\ati2dvag.dll
2011-10-12 19:58 . 2011-01-27 06:35 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-10-12 19:44 . 2010-04-29 14:53 3278848 ----a-w- c:\windows\system32\ativvaxx.dll
2011-10-12 19:42 . 2010-04-29 14:53 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-10-12 19:42 . 2010-04-29 14:53 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-10-12 19:42 . 2010-04-29 14:53 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-10-12 19:42 . 2010-04-29 14:53 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-10-12 19:41 . 2010-04-29 14:53 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-10-12 19:40 . 2010-04-29 14:53 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 19:39 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-10-12 19:37 . 2010-10-13 01:15 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-10-12 19:33 . 2010-04-29 14:53 503808 ----a-w- c:\windows\system32\atiok3x2.dll
2011-10-12 19:33 . 2010-04-29 14:53 806912 ----a-w- c:\windows\system32\atikvmag.dll
2011-10-12 19:29 . 2010-04-29 14:53 221184 ----a-w- c:\windows\system32\atiadlxx.dll
2011-10-12 19:28 . 2010-04-29 14:53 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-10-12 19:23 . 2010-10-13 01:15 65024 ----a-w- c:\windows\system32\atimpc32.dll
2011-10-12 19:23 . 2010-04-29 14:53 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2011-10-12 19:22 . 2010-04-29 14:53 884736 ----a-w- c:\windows\system32\ati2cqag.dll
2011-10-12 19:19 . 2010-04-29 14:53 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-10 14:22 . 2010-04-21 01:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-11-11 05:45 . 2011-05-18 22:16 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-27_20.16.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-27 22:25 . 2011-12-27 22:25 16384 c:\windows\Temp\Perflib_Perfdata_790.dat
+ 2004-08-04 12:00 . 2011-11-04 19:20 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
+ 2009-03-08 12:31 . 2011-11-04 19:20 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 12:31 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 25600 c:\windows\system32\jsproxy.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-03-08 12:31 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 12:31 . 2011-11-04 19:20 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-03-08 12:34 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 12:34 . 2011-11-04 19:20 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 12:33 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 12:33 . 2011-11-04 19:20 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2010-06-08 17:24 . 2011-12-27 11:06 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-12-27 22:05 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 611840 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
+ 2009-03-08 12:32 . 2011-11-04 19:20 602112 c:\windows\system32\msfeeds.dll
- 2009-03-08 12:32 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2011-11-04 11:24 174080 c:\windows\system32\ie4uinit.exe
- 2001-01-01 07:25 . 2011-10-12 17:29 343424 c:\windows\system32\FNTCACHE.DAT
+ 2001-01-01 07:25 . 2011-12-27 22:24 343424 c:\windows\system32\FNTCACHE.DAT
+ 2010-02-26 05:43 . 2011-11-04 19:20 916992 c:\windows\system32\dllcache\wininet.dll
- 2009-03-08 12:34 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
+ 2009-03-08 12:34 . 2011-11-04 19:20 105984 c:\windows\system32\dllcache\url.dll
- 2009-03-08 12:34 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 12:34 . 2011-11-04 19:20 206848 c:\windows\system32\dllcache\occache.dll
- 2009-03-08 12:32 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 12:32 . 2011-11-04 19:20 611840 c:\windows\system32\dllcache\mstime.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2010-02-26 05:43 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-02-26 05:43 . 2011-11-04 19:20 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2009-03-08 22:09 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 22:09 . 2011-11-04 19:20 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-03-08 12:32 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 12:32 . 2011-11-04 11:24 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2011-12-27 22:05 . 2011-08-22 23:48 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll
+ 2011-12-27 22:05 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll
+ 2011-12-27 22:05 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe
+ 2011-12-27 22:05 . 2011-08-22 23:48 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 602112 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll
+ 2011-12-27 22:05 . 2011-08-22 11:56 174080 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe
+ 2004-08-04 12:00 . 2011-11-04 19:20 1212416 c:\windows\system32\urlmon.dll
- 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2011-11-04 19:20 5978112 c:\windows\system32\mshtml.dll
- 2009-03-08 12:32 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
+ 2009-03-08 12:32 . 2011-11-04 19:20 2000384 c:\windows\system32\iertutil.dll
+ 2009-08-14 13:21 . 2011-11-23 13:25 1859584 c:\windows\system32\dllcache\win32k.sys
+ 2010-02-26 05:43 . 2011-11-04 19:20 1212416 c:\windows\system32\dllcache\urlmon.dll
- 2010-02-26 05:43 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
+ 2010-02-26 05:43 . 2011-11-04 19:20 5978112 c:\windows\system32\dllcache\mshtml.dll
- 2010-11-26 08:22 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-11-01 21:34 . 2011-11-01 21:34 4250112 c:\windows\Installer\6221ac.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 2247168 c:\windows\Installer\622193.msp
+ 2011-11-12 00:14 . 2011-11-12 00:14 9096192 c:\windows\Installer\62217d.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 4225536 c:\windows\Installer\622167.msp
+ 2011-11-01 21:34 . 2011-11-01 21:34 2531840 c:\windows\Installer\622151.msp
+ 2011-11-12 00:15 . 2011-11-12 00:15 1795584 c:\windows\Installer\62213b.msp
- 2010-06-08 17:24 . 2011-12-27 11:06 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-06-08 17:24 . 2011-12-27 22:07 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2010-06-08 17:24 . 2011-12-27 11:06 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-12-27 22:05 . 2011-08-22 23:48 1212416 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll
+ 2011-12-27 22:05 . 2011-10-03 08:35 5971456 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
+ 2011-12-27 22:05 . 2011-08-22 23:48 2000384 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll
- 2009-03-08 12:39 . 2011-08-24 00:48 11081728 c:\windows\system32\ieframe.dll
+ 2009-03-08 12:39 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll
- 2010-11-26 08:22 . 2011-08-24 00:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2010-11-26 08:22 . 2011-11-04 19:20 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-12-27 22:05 . 2011-08-24 00:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="c:\documents and settings\White Cocoa\Desktop\BitTorrent.exe" [2011-04-01 400760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-23 202256]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-12 98304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Google Update"="c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"Steam"="c:\program files\Steam\steam.exe" -silent
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\White Cocoa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\White Cocoa\\Desktop\\BitTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\oblivion\\OblivionLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58434:TCP"= 58434:TCP:Pando Media Booster
"58434:UDP"= 58434:UDP:Pando Media Booster
"57795:TCP"= 57795:TCP:Pando Media Booster
"57795:UDP"= 57795:UDP:Pando Media Booster
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/21/2010 3:27 PM 64288]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/15/2011 2:34 PM 366152]
R2 NICSer_WUSBF54G;NICSer_WUSBF54G;c:\program files\Linksys\WUSBF54G\NICServ.exe [4/21/2010 12:36 AM 529920]
R2 WeGameClientService;WeGame Client Service;c:\program files\WeGame\wgclientservice.exe [9/20/2011 10:48 PM 18472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/15/2011 2:34 PM 22216]
R3 ZD1211U(Linksys);Linksys Wireless-G USB Network Adapter Driver(Linksys);c:\windows\system32\drivers\ZD1211U.sys [4/21/2010 12:36 AM 278528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 6:57 PM 136176]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [11/1/2011 9:36 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/2/2010 6:57 PM 136176]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 594048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2010 6:53 PM 436792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 18:57]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-03 18:57]
.
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003Core.job
- c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-19 18:57]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-362288127-839522115-1003UA.job
- c:\documents and settings\White Cocoa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-19 18:57]
.
2011-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1292428093-362288127-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1292428093-362288127-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-12-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-12-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
2011-12-28 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-07-14 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\White Cocoa\Application Data\Mozilla\Firefox\Profiles\kbr1fw9i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rawstory.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111127&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 03:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-362288127-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4e,a2,22,bf,d8,b7,78,c9,8b,81,0d,96,64,d9,4a,e3,2f,7a,e3,66,fe,00,4e,
f4,7a,cc,d3,86,2c,b2,52,4b,58,53,48,b7,9e,64,7f,ef,e4,d7,83,4f,12,5a,b0,95,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d
.
[HKEY_USERS\S-1-5-21-1292428093-362288127-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e7,a6,e4,d2,a4,fc,a9,21,62,00,64,06,af,5a,f6,bf,32,c0,92,69,24,
16,fc,fd,f7,43,fd,bb,1e,25,57,26,a9,f0,d4,b2,da,02,76,af,65,2b,ca,5f,c9,b5,\
"rkeysecu"=hex:ce,04,1f,0a,48,80,2f,87,03,f9,08,77,0a,9e,29,25
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-28 03:13:56
ComboFix-quarantined-files.txt 2011-12-28 11:13
ComboFix2.txt 2011-12-27 20:29
.
Pre-Run: 19,456,815,104 bytes free
Post-Run: 19,437,322,240 bytes free
.
- - End Of File - - 5414653704AD12AD6A77B3A3FE25B8C6

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 29 December 2011 - 07:33 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 29 December 2011 - 06:47 PM

hmm suddenly im having audio issues again. the sound is clipped and somewhat garbled. ITunes straight up doesn't play songs at all.

is this what you wanted?


2007 Microsoft Office Suite Service Pack 2 (SP2)
32 Bit HP CIO Components Installer
7-Zip 9.20
AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.3
AMD APP SDK Runtime
AMD Catalyst Install Manager
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
Belarc Advisor 8.2
Belkin F7D1101 Basic Wireless USB Adapter
BitTorrent
Bonjour
Canon i250
Canon PIXMA iP1500
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
CCleaner
Cisco Connect
CopyTrans Suite Remove Only
DivX Setup
DriverAgent by eSupport.com
DVD Decoder Pak for Windows XP
Google Earth
Google Talk Plugin
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB954550-v5)
HP Photosmart C4600 All-In-One Driver 14.0 Rel. 5
HP USB Disk Storage Format Tool
Intel® PRO Network Connections Drivers
InterActual Player
iTunes
Java Auto Updater
Java™ 6 Update 24
Linksys Wireless Network Monitor
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 8.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NVIDIA PhysX
OGA Notifier 2.0.0048.0
OpenAL
Pando Media Booster
Pandora
PowerISO
PS_AIO_05_C4600_Software_Min
PunkBuster Services
QuickSFV (Remove only)
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
Red Faction Guerrilla
RegCure
Safari
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923789)
Solid YouTube Downloader and Converter FileBulldog Toolbar
Source SDK Base 2006
Steam
System Requirements Lab CYRI
The Elder Scrolls IV: Oblivion
Toolbox
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
VC80CRTRedist - 8.0.50727.6195
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VoiceOver Kit
WebFldrs XP
WeGame Client 2.4.3.0
Windows Essentials Media Codec Pack 3.6 [32-Bit]
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall
Zune Desktop Theme

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 29 December 2011 - 09:00 PM

Hello

I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do





:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.3
Java™ 6 Update 24


and click on remove

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 30 December 2011 - 12:03 AM

okay what do you mean "run this script"? I opened the link and it took me to a page of text. i tried saving it to the desktop and running it, but its simply a text document, can you please clarify?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 30 December 2011 - 12:25 AM

Hello

in the instructions it gives you other options if you have problems doing it the first way

there are two other ways to do it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 30 December 2011 - 03:43 PM

MBAM Log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8377

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2011 7:18:16 PM
mbam-log-2011-12-15 (19-18-16).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 220819
Time elapsed: 1 hour(s), 0 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\white cocoa\local settings\application data\wjl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Phoenix\Phx_data\Res\GCFMgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Phoenix\Phx_data\Res\EmuCfg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Phoenix\Phx_data\Res\ss.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\Steam\steamapps\common\mafia\mafia-trn.exe (PUP.HackTool.HotKeysHook) -> Not selected for removal.
c:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.




HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:41:50 PM, on 12/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WUSBF54G\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WeGame\WGClientService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NICSer_WUSBF54G - Unknown owner - C:\Program Files\Linksys\WUSBF54G\NICServ.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: WeGame Client Service (WeGameClientService) - WeGame.com, Inc. - C:\Program Files\WeGame\WGClientService.exe

--
End of file - 8112 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 AM

Posted 30 December 2011 - 05:43 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [BitTorrent] "C:\Documents and Settings\White Cocoa\Desktop\BitTorrent.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 whitecocoa

whitecocoa
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 31 December 2011 - 07:52 PM

C:\Program Files\Steam\steamapps\common\mafia\mafia-trn.exe probably a variant of Win32/Spy.Agent.JHEXNGB trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir Win32/Sirefef.DA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir_ Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP621\A0093254.exe a variant of Win32/InstallCore.D application
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP639\A0099396.DLL Win32/HackTool.HotKeysHook application
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP640\A0100403.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP641\A0101403.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP643\A0101479.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP643\A0101485.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP643\A0101494.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP643\A0102494.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP643\A0102508.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP644\A0103508.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP644\A0104508.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP644\A0104540.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP644\A0106540.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP644\A0107540.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107550.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107563.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107576.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107584.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107601.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP645\A0107614.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP646\A0107629.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP648\A0107648.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP648\A0107661.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP648\A0107673.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP649\A0107917.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{752BC538-473C-4CA6-88F1-3D7DE7E1BF54}\RP651\A0108917.sys Win32/Sirefef.DA trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users