Jump to content

Malwarebytes

Tojan.Agent, MB detects it in userinit.exe (HJT Inc.)

- - - - -
Started by Guest_MBfan_*, Feb 04 2009 12:56 PM

51 replies to this topic

#1
Guest_MBfan_*
Posted 04 February 2009 - 12:56 PM

  • Guests
Here is my HJT. Any help getting rid of Trojan.Agent in userinit.exe would be great, it is there everyscan. I am pretty sure this is a critical OS file though?


Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:38 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Icon Remover\IconRemover.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Icon Remover] C:\Program Files\Icon Remover\IconRemover.exe /hideapp
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\admini~1\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229187606882
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229187588901
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame....ch_USAv1002.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 6624 bytes


Thanks!

#2
kahdah
Posted 04 February 2009 - 01:51 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Hello MBfan

Welcome to MalwareBytes. :D
=====================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3
Guest_MBfan_*
Posted 04 February 2009 - 04:56 PM

  • Guests
Thanks for your help!

GMER didn't say anything about rootkits, so I just closed it. Attached are the Attach.txt and DDS.txt

Thanks again!

Attached Files


#4
kahdah
Posted 04 February 2009 - 06:42 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of ntdll64.dll.
  • Select every instance of ntdll64.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
=====================
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\test.ttt
c:\windows\system32\998.exe
c:\windows\dmtoqpjt

:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):"msv1_0"

:commands
[emptytemp]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:

  • Ot Move it log
  • Malware Bytes log
  • New dds log
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5
Guest_MBfan_*
Posted 04 February 2009 - 07:01 PM

  • Guests
MoveItLog

I did reboot, for some reason it still says it will delete on reboot. This is the only log in the folder

Quote

========== FILES ==========
File/Folder c:\docume~1\admini~1\locals~1\temp\ntdll64.dll not found.
c:\windows\system32\win32hlp.cnf moved successfully.
c:\windows\system32\test.ttt moved successfully.
c:\windows\system32\998.exe moved successfully.
c:\windows\dmtoqpjt moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_0Gl4gzdMFMr9cDmElGJk scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF337.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF364.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFDCD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFE18.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02042009_135241

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_0Gl4gzdMFMr9cDmElGJk not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF337.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF364.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFDCD.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFE18.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\XUL.mfl moved successfully.

DDS.txt

Quote

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 13:58:28.35 on Wed 02/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2788 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Icon Remover\IconRemover.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Icon Remover] c:\program files\icon remover\IconRemover.exe /hideapp
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2008-12-17 33824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-17 38496]
S3 LoveDRIVER53;LoveDRIVER53;c:\documents and settings\owner\desktop\love_engine_0.2\love engine 0.2\loveliss.sys [2009-1-5 31488]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]

=============== Created Last 30 ================

2009-02-04 13:54 491 a------- c:\windows\system32\win32hlp.cnf
2009-02-04 13:52 <DIR> --d----- C:\_OTMoveIt
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-03 23:43 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-03 10:54 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR
2009-02-03 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:48 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\program files\Rosetta Stone
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-31 12:16 2,006 a------- c:\windows\system32\tmp.reg
2009-01-31 12:07 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:53 82,432 ----h--t c:\windows\system32\5e7504.dll
2009-01-15 14:53 82,432 ----h--t c:\windows\system32\57175b0.dll
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 14:45 82,432 ----h--t c:\windows\system32\1a9f280.dll
2009-01-15 14:45 82,432 ----h--t c:\windows\system32\10f3aa2c.dll
2009-01-15 14:43 82,432 ----h--t c:\windows\system32\34386752.dll
2009-01-15 14:43 82,432 ----h--t c:\windows\system32\1abd7a4a.dll
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-15 13:16 152,904 a------- c:\windows\system32\vghd.scr
2009-01-15 13:16 <DIR> --d----- c:\docume~1\owner\applic~1\vghd
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI
2009-01-06 16:56 <DIR> --d----- c:\docume~1\owner\applic~1\MozillaControl
2009-01-06 16:56 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:51 54,784 a------- c:\windows\system32\ieframe.oca
2009-01-06 16:49 29,184 a------- c:\windows\system32\msinet.oca
2009-01-06 16:47 115,920 a------- c:\windows\system32\msinet.ocx

==================== Find3M ====================

2009-01-31 12:07 125,440 a------- c:\windows\system32\userinit.exe
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-17 16:42 33,824 a------- c:\windows\system32\drivers\oreans32.sys
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-07 16:38 84,496 a------- c:\windows\system32\KemXML.dll
2008-11-07 16:38 117,264 a------- c:\windows\system32\KemWnd.dll
2008-11-07 16:38 145,936 a------- c:\windows\system32\KemUtil.dll
2008-11-07 16:38 170,512 a------- c:\windows\system32\kemutb.dll
2008-11-07 16:37 301,656 a------- c:\windows\system32\BtCoreIf.dll

============= FINISH: 13:58:50.32 ===============

Attach.txt

Quote

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2008 11:41:13 AM
System Uptime: 2/4/2009 1:54:06 PM (0 hours ago)

Motherboard: MICRO-STAR INTERANTIONAL CO.,LTD | | MS-7367
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4800+ | CPU 1 | 2494/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 122.525 GiB free.
D: is CDROM (CDFS)
E: is FIXED (FAT32) - 75 GiB total, 21.846 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP82: 2/4/2009 7:25:43 AM - viri_clean
RP83: 2/4/2009 7:27:06 AM - Installed AVG Free 8.0

==== Installed Programs ======================

.sol Editor 1.1.0.1
010 Editor 3.0.3
32 Bit HP CIO Components Installer
Ad-Aware
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Stock Photos 1.0
AIO_Scan
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
CDDRV_Installer
Cheat Engine 5.4
Combat Arms
Condition Zero
CorelDRAW Graphics Suite X4
CorelDRAW Graphics Suite X4 - Capture
CorelDRAW Graphics Suite X4 - Content
CorelDRAW Graphics Suite X4 - Draw
CorelDRAW Graphics Suite X4 - Filters
CorelDRAW Graphics Suite X4 - FontNav
CorelDRAW Graphics SUite X4 - ICA
CorelDRAW Graphics Suite X4 - IPM
CorelDRAW Graphics Suite X4 - Lang EN
CorelDRAW Graphics Suite X4 - PP
CorelDRAW Graphics Suite X4 - VBA
CorelDRAW® Graphics Suite X4
CorelDRAW® Graphics Suite X4 - Windows Shell Extension
Counter-Strike
Counter-Strike: Source
DAEMON Tools
Day of Defeat: Source
Delta Force: Xtreme
DHPinger
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DJ_AIO_Software_min
F.E.A.R. 2: Project Origin Single-player Demo
FileZilla Client 3.1.6
FileZilla Server (remove only)
Flash Decompiler Trillix
Game Extractor 2.0
GamesBar 2.0.1.12
Greatis WinDowse
Half-Life
Half-Life 2: Deathmatch
Hex-Rays Decompiler v1.0
Hex Workshop v5.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet All-In-One Software 9.0
Icon Remover 1.4
IDA Pro Advanced v5.2 with WinCE v5.0 debugger
iGadget 4.7.3
iPhoneBrowser
IrfanView (remove only)
iTunes
Java™ SE Runtime Environment 6
K-Lite Codec Pack 4.3.1 (Standard)
KhalInstallWrapper
Left 4 Dead
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage Client - English
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Professional 2003 - English
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.5)
MPlugin
MSXML 4.0 SP2 (KB954430)
Oni
OpenOffice.org 2.1
OPERATION7
Orbit Downloader
PE Explorer 1.99 R5
Photo Viewer
Portal
Quantum of Solace™
Quantum of Solace™ 1.1 Patch
QuickTime
Realtek High Definition Audio Driver
RocketDock 1.3.5
Rogue
Rosetta Stone V3
Royale Remixed Theme
Scan
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Skins
Software Update for Web Folders
Sothink SWF Decompiler
Souptoys
Source SDK Base
Spybot - Search & Destroy
SQL Server System CLR Types
Steam
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
TeamViewer 4
Toolbox
TouchCopy
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VirusTotal Uploader
Visual Assist X
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
Visual Studio .NET Professional 2003 - English
Visual Studio.NET Baseline - English
VLC media player 0.9.8a
WebFldrs XP
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)
Xiph QuickTime Components
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

1/31/2009 11:51:58 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
1/30/2009 4:44:20 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/28/2009 2:47:56 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:13:E8:12:6D:5D. Network operations on this system may be disrupted as a result.
2/3/2009 10:50:29 AM, error: Service Control Manager [7000] - The AVG Free8 Network Redirector service failed to start due to the following error: The system cannot find the device specified.
2/3/2009 10:50:39 AM, error: PlugPlayManager [11] - The device Root\LEGACY_AVGLDX86\0000 disappeared from the system without first being prepared for removal.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/3/2009 10:59:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT oreans32 RasAcd Rdbss Tcpip WS2IFSL
2/3/2009 11:00:09 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/3/2009 2:52:12 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2C08A0FF-1C76-4542-. The master browser is stopping or an election is being forced.

==== End Of File ===========================

MB Log.txt

Quote

Malwarebytes' Anti-Malware 1.33
Database version: 1725
Windows 5.1.2600 Service Pack 3

2/4/2009 2:00:03 PM
mbam-log-2009-02-04 (14-00-03).txt

Scan type: Quick Scan
Objects scanned: 54434
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks!

-MBFan!

#6
kahdah
Posted 05 February 2009 - 01:08 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7
Guest_MBfan_*
Posted 05 February 2009 - 03:47 PM

  • Guests
Awesome! I think it took care of the userinit infection, and even replaced it with a clean version. Here it the log.

Quote

ComboFix 09-02-04.04 - Owner 2009-02-05 10:36:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2854 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\tmp.reg
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 13:52 . 2009-02-04 13:52 <DIR> d-------- C:\_OTMoveIt
2009-02-04 11:54 . 2009-02-04 11:54 250 --a------ c:\windows\gmer.ini
2009-02-03 23:43 . 2009-02-03 23:20 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-03 10:59 . 2009-02-03 10:59 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:54 . 2009-02-03 10:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-02-03 10:50 . 2009-02-04 07:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 15:09 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d-------- c:\program files\Lavasoft
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 15:08 . 2009-02-02 15:08 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-02 14:48 . 2009-02-02 14:48 <DIR> d-------- c:\documents and settings\Owner\Application Data\Corel
2009-02-02 14:48 . 2009-02-02 14:48 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 14:48 . 2009-02-02 14:48 88 -r-hs---- c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\program files\Common Files\Protexis
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-02-02 14:38 . 2009-02-02 14:38 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-02 14:36 . 2009-02-02 14:36 <DIR> d-------- c:\program files\Corel
2009-02-02 14:26 . 2009-02-02 14:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 07:57 . 2009-02-02 07:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 . 2009-02-03 11:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 12:37 . 2009-02-01 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-01 12:36 . 2009-02-01 12:36 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-01 12:34 . 2009-02-01 12:34 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-01 12:34 . 2009-02-01 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-01 12:32 . 2009-02-01 12:32 <DIR> d-------- c:\program files\VirusTotalUploader
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Purple Ghost Software, Inc
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Purple Ghost Software, Inc
2009-01-31 12:44 . 2009-01-31 12:44 <DIR> d-------- c:\program files\Purple Ghost
2009-01-30 17:06 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-01-30 17:05 . 2009-01-30 17:05 <DIR> d-------- c:\program files\Realtek
2009-01-30 17:05 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-01-30 17:05 . 2008-10-27 18:12 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-29 14:20 . 2009-01-29 14:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Teeworlds
2009-01-28 07:54 . 2009-01-28 07:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Rogue
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 15:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-23 15:47 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-18 13:50 . 2009-01-18 13:58 <DIR> d-------- c:\program files\Visual Assist X
2009-01-18 13:41 . 2009-01-18 13:41 <DIR> d-------- c:\program files\Greatis
2009-01-15 14:53 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\5e7504.dll
2009-01-15 14:53 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\57175b0.dll
2009-01-15 14:45 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1a9f280.dll
2009-01-15 14:45 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\10f3aa2c.dll
2009-01-15 14:45 . 2009-01-15 14:56 0 --a------ c:\windows\system32\drivers\EagleNt.sys
2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\34386752.dll
2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1abd7a4a.dll
2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin
2009-01-15 13:16 . 2009-01-15 13:33 <DIR> d-------- c:\documents and settings\Owner\Application Data\vghd
2009-01-15 13:16 . 2009-01-15 13:16 152,904 --a------ c:\windows\system32\vghd.scr
2009-01-15 13:03 . 2009-01-15 13:03 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2009-01-13 08:37 . 2008-06-20 06:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 . 2008-06-20 12:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 . 2008-06-20 06:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 . 2008-06-20 12:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 . 2009-01-20 17:31 1,733 --a------ c:\windows\TSearch.INI
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\documents and settings\Owner\Application Data\MozillaControl
2009-01-06 16:51 . 2009-01-06 16:51 54,784 --a------ c:\windows\system32\ieframe.oca
2009-01-06 16:49 . 2009-01-06 16:49 29,184 --a------ c:\windows\system32\msinet.oca
2009-01-06 16:47 . 2009-01-06 16:47 115,920 --a------ c:\windows\system32\msinet.ocx
2009-01-05 00:34 . 2009-01-22 11:49 754 --a------ c:\windows\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 20:51 --------- d-----w c:\program files\Steam
2009-02-04 18:53 --------- d-----w c:\documents and settings\Owner\Application Data\Orbit
2009-02-01 20:23 --------- d-----w c:\program files\Cheat Engine
2009-01-31 17:25 --------- d-----w c:\program files\CCleaner
2009-01-31 17:13 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 16:02 --------- d-----w c:\program files\Novalogic
2009-01-29 20:46 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-01-22 16:22 --------- d-----w c:\program files\IDA
2009-01-18 18:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-17 19:01 --------- d-----w c:\documents and settings\Owner\Application Data\VisualAssist
2009-01-16 00:14 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-01-16 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 03:19 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 03:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-05 03:18 --------- d-----w c:\program files\HP
2009-01-05 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-05 02:56 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 02:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-05 02:50 --------- d-----w c:\program files\Xfire
2009-01-02 23:55 182,200 ----a-w c:\windows\system32\drivers\UsbSnoop.sys
2008-12-30 03:35 --------- d-----w c:\program files\iPhoneBrowser
2008-12-30 01:53 --------- d-----w c:\program files\Sol Edit
2008-12-30 01:33 --------- d-----w c:\program files\SourceTec
2008-12-30 01:33 --------- d-----w c:\program files\Common Files\SourceTec
2008-12-30 01:32 --------- d-----w c:\program files\GamesBar
2008-12-30 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2008-12-26 20:40 --------- d-----w c:\program files\Oberon Media
2008-12-26 07:26 --------- d-----w c:\documents and settings\All Users\Application Data\Souptoys
2008-12-26 06:06 --------- d-----w c:\program files\010 Editor v3
2008-12-26 05:02 --------- d-----w c:\documents and settings\Owner\Application Data\Logitech
2008-12-26 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-26 04:54 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-26 04:53 --------- d-----w c:\program files\Logitech
2008-12-26 04:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 04:12 --------- d-----w c:\documents and settings\Owner\Application Data\TeamViewer
2008-12-26 04:11 --------- d-----w c:\program files\TeamViewer
2008-12-26 04:08 --------- d-----w c:\program files\RSP OGG Vorbis Player .Net 1.0.0
2008-12-26 01:03 --------- d-----w c:\program files\Common Files\Adobe
2008-12-26 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-26 00:49 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-25 23:30 182 ----a-w c:\documents and settings\Owner\Application Data\SnapiiHistory.dat
2008-12-25 23:12 --------- d-----w c:\program files\Common Files\Oberon Media
2008-12-25 21:04 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-25 20:59 --------- d-----w c:\documents and settings\Owner\Application Data\Activision
2008-12-25 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2008-12-25 20:54 --------- d-----w c:\program files\D-Tools
2008-12-25 18:23 --------- d-----w c:\program files\Mars
2008-12-25 18:23 --------- d-----w c:\program files\DIFX
2008-12-25 17:30 --------- d-----w c:\program files\Activision
2008-12-25 07:07 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-25 07:06 --------- d-----w c:\program files\QuickTime
2008-12-25 06:59 --------- d-----w c:\program files\iTunes
2008-12-25 06:59 --------- d-----w c:\program files\iPod
2008-12-25 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 00:28 --------- d-----w c:\program files\Game Extractor
2008-12-24 23:31 --------- d-----w c:\program files\IrfanView
2008-12-24 21:54 --------- d-----w c:\program files\Souptoys
2008-12-24 21:30 --------- d-----w c:\program files\BreakPoint Software
2008-12-24 20:33 --------- d-----w c:\documents and settings\Owner\Application Data\Souptoys
2008-12-24 19:17 --------- d-----w c:\program files\Teamspeak2_RC2
2008-12-24 17:32 --------- d-----w c:\documents and settings\Owner\Application Data\teamspeak2
2008-12-22 18:46 --------- d-----w c:\program files\Common Files\Apple
2008-12-21 06:28 --------- d-----w c:\program files\Screenie
2008-12-21 06:27 --------- d-----w c:\documents and settings\Owner\Application Data\Screenie
2008-12-21 04:31 --------- d-----w c:\program files\Wide Angle Software
2008-12-20 19:29 --------- d-----w c:\program files\Oni
2008-12-20 15:06 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-20 06:06 --------- d-----w c:\program files\Swiigle
2008-12-20 06:02 --------- d-----w c:\program files\Eltima Software
2008-12-20 04:11 --------- d-----w c:\program files\Bonjour
2008-12-20 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-20 04:10 --------- d-----w c:\program files\Apple Software Update
2008-12-20 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-19 19:04 --------- d-----w c:\documents and settings\Owner\Application Data\Datarescue
2008-12-19 01:04 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-12-19 00:32 --------- d-----w c:\program files\DivX
2008-12-18 20:22 --------- d-----w c:\program files\RocketDock
2008-12-18 17:35 --------- d-----w c:\program files\Orbitdownloader
2008-12-18 16:20 --------- d-----w c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-18 16:19 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-17 21:51 --------- d-----w c:\program files\FileZilla Server
2008-12-17 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-12-17 21:42 33,824 ----a-w c:\windows\system32\drivers\oreans32.sys
2008-12-17 19:27 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-17 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 16:56 --------- d-----w c:\program files\PE Explorer
2008-12-17 16:56 --------- d-----w c:\documents and settings\Owner\Application Data\PE Explorer
2008-12-16 19:03 --------- d-----w c:\program files\Yahoo!
2008-12-16 18:08 --------- d-----w c:\program files\Icon Remover
2008-12-16 18:08 --------- d-----w c:\documents and settings\Owner\Application Data\Icon Remover
2008-12-16 17:58 --------- d-----w c:\program files\Everstrike Software
2008-12-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Icon Remover"="c:\program files\Icon Remover\IconRemover.exe" [2008-03-25 742400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-03 509784]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 13:58 495616 c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-15 20:40 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\half-life\\hl.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Visual Studio 2008\\Projects\\ChatServer\\ChatServer\\bin\\Debug\\ChatServer.exe"=
"c:\\Program Files\\IDA\\idag.exe"=
"c:\\Program Files\\IDA\\idag64.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BHD\\DFBHD.EXE"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace™\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-02 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 LoveDRIVER53;LoveDRIVER53;c:\documents and settings\Owner\Desktop\Love_Engine_0.2\Love Engine 0.2\loveliss.sys [2009-01-05 31488]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-01-02 182200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-03 23:19]

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Framework Windows - frmwrk32.exe


.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 10:41:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-05 10:44:07 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-02-05 15:44:05

Pre-Run: 140,132,442,112 bytes free
Post-Run: 140,424,409,088 bytes free

351 --- E O F --- 2009-01-15 18:06:55

I am a little worried about stuff like

c:\windows\system32\34386752.dll
2009-01-15 14:43 . 2008-04-14 05:42 82,432 ---h---t- c:\windows\system32\1abd7a4a.dll
2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin

and other random.dll names

as well as this.

c:\windows\system32\drivers\Lbd.sys

Thanks, this is really helping me!

#8
kahdah
Posted 06 February 2009 - 12:09 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
c:\windows\system32\drivers\Lbd.sys < this is related to Adaware and is safe some of the others we will have to check out.
=================
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

c:\windows\system32\dllcache\userinit.exe
c:\windows\sbacknt.bin


This will produce a report after the scan is complete, please copy and paste those results in your next post.
=============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\34386752.dll
c:\windows\system32\1abd7a4a.dll
c:\windows\system32\5e7504.dll
c:\windows\system32\57175b0.dll
c:\windows\system32\1a9f280.dll
c:\windows\system32\10f3aa2c.dll
c:\windows\system32\vghd.scr
c:\documents and settings\All Users\Application Data\A81B14F4A2.sys

Folder::
c:\documents and settings\Owner\Application Data\vghd


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
  • File scanning results

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9
Guest_MBfan_*
Posted 06 February 2009 - 12:42 AM

  • Guests
Here is ComboFix Log.

Quote

ComboFix 09-02-04.04 - Owner 2009-02-05 19:24:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2547 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090205-1] *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
c:\windows\system32\10f3aa2c.dll
c:\windows\system32\1a9f280.dll
c:\windows\system32\1abd7a4a.dll
c:\windows\system32\34386752.dll
c:\windows\system32\57175b0.dll
c:\windows\system32\5e7504.dll
c:\windows\system32\vghd.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\A81B14F4A2.sys
c:\documents and settings\Owner\Application Data\vghd
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backabout.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backcalendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backcollection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdelete.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdownload_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backdownload_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backenterpassword.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\background.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backplaylists.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backregister_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backregister_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backscreensaver.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backsettings_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backsettings_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backwarnbox.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\backwarnbox_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_add_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_buy_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancel_small_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_cancelregister_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_confirm_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_delete_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_download_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_downloadtrailer_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_enable_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_finish_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_no_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_playlist_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_small.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_ok_small_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset1_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset2_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset3_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preset4_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_preview_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_previewsmall_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_products.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_resetdisabled_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_select_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_off_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_off_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_show_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_skins.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_toggle_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_click_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_whatsnew_on_us.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_click_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\button_yes_on_fr.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\calendar_comingsoon.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\calendar_nocard.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\checkbox.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_about.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_calendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_collection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_downloads.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_settings.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\down_settings2.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\empty_girl.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\favorite.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\favorite_selected.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\list_disabled.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\list_enabled.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\logo.BMP
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\plus.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\radio.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\register_sticker.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00001.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00003.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00004.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr00005.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr1.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr3.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr4.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\scr5.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\slider.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\Thumbs.db
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tip_background.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_button.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_button_click.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_check_off.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_check_on.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\tooltip_close.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_about.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_calendar.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_collection.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_downloads.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_settings.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\up_settings2.bmp
c:\documents and settings\Owner\Application Data\vghd\Data\skins\VirtuaGirlHD\classic skin\vgirl.pack
c:\windows\system32\10f3aa2c.dll
c:\windows\system32\1a9f280.dll
c:\windows\system32\1abd7a4a.dll
c:\windows\system32\34386752.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\57175b0.dll
c:\windows\system32\5e7504.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vghd.scr
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 18:04 . 2009-02-05 18:22 5,491 --a------ C:\dfx.rtf
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sunbelt
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2009-02-05 15:04 . 2009-02-05 15:04 <DIR> d-------- c:\program files\Sunbelt Software
2009-02-05 15:04 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2009-02-05 14:27 . 2009-02-05 18:11 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-05 14:26 . 2009-02-05 14:27 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-05 14:26 . 2009-02-05 14:26 <DIR> d-------- c:\program files\AVG
2009-02-05 14:26 . 2009-02-05 14:26 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-05 14:26 . 2009-02-05 14:26 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-05 14:26 . 2009-02-05 14:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-05 12:17 . 2009-02-05 12:17 <DIR> d-------- c:\program files\Alwil Software
2009-02-05 11:23 . 2009-02-05 11:38 2,204 --a------ c:\windows\evpovqfm
2009-02-04 11:54 . 2009-02-04 11:54 250 --a------ c:\windows\gmer.ini
2009-02-03 10:59 . 2009-02-03 10:59 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 10:50 . 2009-02-05 14:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 15:09 . 2009-01-18 16:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d-------- c:\program files\Lavasoft
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 15:08 . 2009-02-05 12:12 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2009-02-02 14:48 . 2009-02-02 14:48 <DIR> d-------- c:\documents and settings\Owner\Application Data\Corel
2009-02-02 14:48 . 2009-02-02 14:48 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\program files\Common Files\Protexis
2009-02-02 14:41 . 2009-02-02 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-02-02 14:38 . 2009-02-02 14:38 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-02 14:36 . 2009-02-02 14:36 <DIR> d-------- c:\program files\Corel
2009-02-02 14:26 . 2009-02-02 14:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 07:57 . 2009-02-02 07:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 . 2009-02-05 11:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 12:37 . 2009-02-01 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-01 12:36 . 2009-02-01 12:36 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-01 12:34 . 2009-02-01 12:34 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-01 12:34 . 2009-02-01 13:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-02-01 12:32 . 2009-02-01 12:32 <DIR> d-------- c:\program files\VirusTotalUploader
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Purple Ghost Software, Inc
2009-01-31 12:45 . 2009-01-31 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Purple Ghost Software, Inc
2009-01-31 12:44 . 2009-01-31 12:44 <DIR> d-------- c:\program files\Purple Ghost
2009-01-30 17:06 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2009-01-30 17:05 . 2009-01-30 17:05 <DIR> d-------- c:\program files\Realtek
2009-01-30 17:05 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 . 2008-08-25 16:17 528,384 --a------ c:\windows\RtlExUpd.dll
2009-01-30 17:05 . 2008-10-27 18:12 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-29 14:20 . 2009-01-29 14:25 <DIR> d-------- c:\documents and settings\Owner\Application Data\Teeworlds
2009-01-28 07:54 . 2009-01-28 07:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Rogue
2009-01-28 07:50 . 2009-01-28 07:50 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 15:47 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 . 2008-07-10 11:00 3,851,784 --a------ c:\windows\system32\D3DX9_39.dll
2009-01-23 15:47 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2009-01-18 13:50 . 2009-01-18 13:58 <DIR> d-------- c:\program files\Visual Assist X
2009-01-18 13:41 . 2009-01-18 13:41 <DIR> d-------- c:\program files\Greatis
2009-01-15 14:45 . 2009-01-15 14:56 0 --a------ c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 . 2009-01-15 13:31 3 --a------ c:\windows\sbacknt.bin
2009-01-15 13:03 . 2009-01-15 13:03 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2009-01-13 08:37 . 2008-06-20 06:51 361,600 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 . 2008-06-20 12:46 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 . 2008-06-20 06:08 225,856 -----c--- c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 . 2008-06-20 12:46 147,968 -----c--- c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 . 2009-01-20 17:31 1,733 --a------ c:\windows\TSearch.INI
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2009-01-06 16:56 . 2009-01-06 16:56 <DIR> d-------- c:\documents and settings\Owner\Application Data\MozillaControl
2009-01-06 16:51 . 2009-01-06 16:51 54,784 --a------ c:\windows\system32\ieframe.oca
2009-01-06 16:49 . 2009-01-06 16:49 29,184 --a------ c:\windows\system32\msinet.oca
2009-01-06 16:47 . 2009-01-06 16:47 115,920 --a------ c:\windows\system32\msinet.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 23:56 --------- d-----w c:\program files\Steam
2009-02-05 23:01 33,824 ----a-w c:\windows\system32\drivers\oreans32.sys
2009-02-05 16:38 --------- d-----w c:\documents and settings\Owner\Application Data\Orbit
2009-02-05 16:07 --------- d-----w c:\program files\Common Files\Adobe
2009-02-01 20:23 --------- d-----w c:\program files\Cheat Engine
2009-01-31 17:25 --------- d-----w c:\program files\CCleaner
2009-01-31 17:13 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-31 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 16:02 --------- d-----w c:\program files\Novalogic
2009-01-29 20:46 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-01-22 16:22 --------- d-----w c:\program files\IDA
2009-01-18 18:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-17 19:01 --------- d-----w c:\documents and settings\Owner\Application Data\VisualAssist
2009-01-16 00:14 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-01-16 00:11 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 03:19 --------- d-----w c:\program files\Hewlett-Packard
2009-01-05 03:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-05 03:18 --------- d-----w c:\program files\HP
2009-01-05 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-05 02:56 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2009-01-05 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-05 02:55 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-05 02:50 --------- d-----w c:\program files\Xfire
2009-01-02 23:55 182,200 ----a-w c:\windows\system32\drivers\UsbSnoop.sys
2008-12-30 03:35 --------- d-----w c:\program files\iPhoneBrowser
2008-12-30 01:53 --------- d-----w c:\program files\Sol Edit
2008-12-30 01:33 --------- d-----w c:\program files\SourceTec
2008-12-30 01:33 --------- d-----w c:\program files\Common Files\SourceTec
2008-12-30 01:32 --------- d-----w c:\program files\GamesBar
2008-12-30 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2008-12-26 20:40 --------- d-----w c:\program files\Oberon Media
2008-12-26 07:26 --------- d-----w c:\documents and settings\All Users\Application Data\Souptoys
2008-12-26 06:06 --------- d-----w c:\program files\010 Editor v3
2008-12-26 05:02 --------- d-----w c:\documents and settings\Owner\Application Data\Logitech
2008-12-26 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-26 04:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-26 04:54 --------- d-----w c:\program files\Common Files\Logishrd
2008-12-26 04:53 --------- d-----w c:\program files\Logitech
2008-12-26 04:53 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-26 04:12 --------- d-----w c:\documents and settings\Owner\Application Data\TeamViewer
2008-12-26 04:11 --------- d-----w c:\program files\TeamViewer
2008-12-26 04:08 --------- d-----w c:\program files\RSP OGG Vorbis Player .Net 1.0.0
2008-12-26 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-26 00:49 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2008-12-25 23:30 182 ----a-w c:\documents and settings\Owner\Application Data\SnapiiHistory.dat
2008-12-25 23:12 --------- d-----w c:\program files\Common Files\Oberon Media
2008-12-25 21:04 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-25 20:59 --------- d-----w c:\documents and settings\Owner\Application Data\Activision
2008-12-25 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2008-12-25 20:54 --------- d-----w c:\program files\D-Tools
2008-12-25 18:23 --------- d-----w c:\program files\Mars
2008-12-25 18:23 --------- d-----w c:\program files\DIFX
2008-12-25 17:30 --------- d-----w c:\program files\Activision
2008-12-25 07:07 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2008-12-25 07:06 --------- d-----w c:\program files\QuickTime
2008-12-25 06:59 --------- d-----w c:\program files\iTunes
2008-12-25 06:59 --------- d-----w c:\program files\iPod
2008-12-25 06:59 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 00:28 --------- d-----w c:\program files\Game Extractor
2008-12-24 23:31 --------- d-----w c:\program files\IrfanView
2008-12-24 21:54 --------- d-----w c:\program files\Souptoys
2008-12-24 21:30 --------- d-----w c:\program files\BreakPoint Software
2008-12-24 20:33 --------- d-----w c:\documents and settings\Owner\Application Data\Souptoys
2008-12-24 19:17 --------- d-----w c:\program files\Teamspeak2_RC2
2008-12-24 17:32 --------- d-----w c:\documents and settings\Owner\Application Data\teamspeak2
2008-12-22 18:46 --------- d-----w c:\program files\Common Files\Apple
2008-12-21 06:28 --------- d-----w c:\program files\Screenie
2008-12-21 06:27 --------- d-----w c:\documents and settings\Owner\Application Data\Screenie
2008-12-21 04:31 --------- d-----w c:\program files\Wide Angle Software
2008-12-20 19:29 --------- d-----w c:\program files\Oni
2008-12-20 15:06 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-20 06:06 --------- d-----w c:\program files\Swiigle
2008-12-20 06:02 --------- d-----w c:\program files\Eltima Software
2008-12-20 04:11 --------- d-----w c:\program files\Bonjour
2008-12-20 04:11 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-20 04:10 --------- d-----w c:\program files\Apple Software Update
2008-12-20 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-19 19:04 --------- d-----w c:\documents and settings\Owner\Application Data\Datarescue
2008-12-19 01:04 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-12-19 00:32 --------- d-----w c:\program files\DivX
2008-12-18 20:22 --------- d-----w c:\program files\RocketDock
2008-12-18 17:35 --------- d-----w c:\program files\Orbitdownloader
2008-12-18 16:20 --------- d-----w c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-18 16:19 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-17 21:51 --------- d-----w c:\program files\FileZilla Server
2008-12-17 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-12-17 19:27 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-17 19:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 16:56 --------- d-----w c:\program files\PE Explorer
2008-12-17 16:56 --------- d-----w c:\documents and settings\Owner\Application Data\PE Explorer
2008-12-16 19:03 --------- d-----w c:\program files\Yahoo!
2008-12-16 18:08 --------- d-----w c:\program files\Icon Remover
2008-12-16 18:08 --------- d-----w c:\documents and settings\Owner\Application Data\Icon Remover
2008-12-16 17:58 --------- d-----w c:\program files\Everstrike Software
2008-12-16 07:31 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_10.43.38.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 20:04:49 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
+ 2009-02-05 20:04:49 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2009-02-05 20:04:49 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
- 2009-02-04 12:33:23 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-05 16:18:16 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 12:33:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-05 16:18:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 12:33:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 16:18:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-02-05 19:26:31 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-10-23 09:09:24 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
+ 2008-10-28 21:28:12 65,320 ----a-w c:\windows\system32\sbbd.exe
+ 2006-01-09 14:36:06 40,960 ----a-w c:\windows\system32\swsc.exe
+ 2007-01-10 22:03:04 493,400 ----a-w c:\windows\system32\XceedZip.dll
+ 2009-02-06 00:29:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 14:26 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Icon Remover]
--a------ 2008-03-25 20:45 742400 c:\program files\Icon Remover\IconRemover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 05:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 13:58 495616 c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-15 20:40 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\half-life\\hl.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Visual Studio 2008\\Projects\\ChatServer\\ChatServer\\bin\\Debug\\ChatServer.exe"=
"c:\\Program Files\\IDA\\idag.exe"=
"c:\\Program Files\\IDA\\idag64.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BHD\\DFBHD.EXE"=
"c:\\Program Files\\Steam\\steamapps\\macdragon1\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace™\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2spdemo\\FEAR2SPDemo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-02 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-05 111184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-05 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-05 107272]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-02-05 202928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-05 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-05 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-01-02 182200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6E992806-9974-4EBC-A6F9-8235A5022CC0} - (no file)


.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:31:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-05 19:34:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 00:33:58
ComboFix2.txt 2009-02-05 15:44:08

Pre-Run: 140,858,634,240 bytes free
Post-Run: 140,960,313,344 bytes free

604 --- E O F --- 2009-01-15 18:06:55

Here is the scan of userinit.exe, by jotti

Quote

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

And, userinit.exe by virustotal

Quote

a-squared 4.0.0.93 2009.02.05 -
AhnLab-V3 5.0.0.2 2009.02.05 -
AntiVir 7.9.0.74 2009.02.05 -
Authentium 5.1.0.4 2009.02.05 -
Avast 4.8.1281.0 2009.02.05 -
AVG 8.0.0.229 2009.02.05 -
BitDefender 7.2 2009.02.06 -
CAT-QuickHeal 10.00 2009.02.05 -
ClamAV 0.94.1 2009.02.05 -
Comodo 965 2009.02.05 -
DrWeb 4.44.0.09170 2009.02.06 -
eSafe 7.0.17.0 2009.02.05 -
eTrust-Vet 31.6.6344 2009.02.06 -
F-Prot 4.4.4.56 2009.02.05 -
F-Secure 8.0.14470.0 2009.02.06 -
Fortinet 3.117.0.0 2009.02.06 -
GData 19 2009.02.06 -
Ikarus T3.1.1.45.0 2009.02.05 -
K7AntiVirus 7.10.620 2009.02.05 -
Kaspersky 7.0.0.125 2009.02.06 -
McAfee 5516 2009.02.04 -
McAfee+Artemis 5516 2009.02.04 -
Microsoft 1.4306 2009.02.05 -
NOD32 3831 2009.02.05 -
Norman 6.00.02 2009.02.05 -
nProtect 2009.1.8.0 2009.02.05 -
Panda 9.5.1.2 2009.02.05 -
PCTools 4.4.2.0 2009.02.05 -
Prevx1 V2 2009.02.06 -
Rising 21.15.30.00 2009.02.05 -
SecureWeb-Gateway 6.7.6 2009.02.05 -
Sophos 4.38.0 2009.02.06 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.06 -
TheHacker 6.3.1.5.247 2009.02.05 -
TrendMicro 8.700.0.1004 2009.02.05 -
VBA32 3.12.8.12 2009.02.05 -
ViRobot 2009.2.5.1591 2009.02.05 -
VirusBuster 4.5.11.0 2009.02.06 -


This has a me a little worried.

sbacknt.bin by virustotal

Quote

a-squared 4.0.0.93 2009.02.05 -
AhnLab-V3 5.0.0.2 2009.02.05 -
AntiVir 7.9.0.74 2009.02.05 -
Authentium 5.1.0.4 2009.02.05 -
Avast 4.8.1281.0 2009.02.05 -
AVG 8.0.0.229 2009.02.05 -
BitDefender 7.2 2009.02.06 -
CAT-QuickHeal 10.00 2009.02.05 -
ClamAV 0.94.1 2009.02.05 -
Comodo 965 2009.02.05 -
DrWeb 4.44.0.09170 2009.02.06 -
eSafe 7.0.17.0 2009.02.05 -
eTrust-Vet 31.6.6344 2009.02.06 -
F-Prot 4.4.4.56 2009.02.05 -
F-Secure 8.0.14470.0 2009.02.06 -
Fortinet 3.117.0.0 2009.02.06 -
GData 19 2009.02.06 -
Ikarus T3.1.1.45.0 2009.02.05 -
K7AntiVirus 7.10.620 2009.02.05 -
Kaspersky 7.0.0.125 2009.02.06 -
McAfee 5516 2009.02.04 -
McAfee+Artemis 5516 2009.02.04 -
Microsoft 1.4306 2009.02.05 -
NOD32 3831 2009.02.05 -
Norman 6.00.02 2009.02.05 -
nProtect 2009.1.8.0 2009.02.05 -
Panda 9.5.1.2 2009.02.05 -
PCTools 4.4.2.0 2009.02.05 -
Prevx1 V2 2009.02.06 -
Rising 21.15.30.00 2009.02.05 -
SecureWeb-Gateway 6.7.6 2009.02.05 -
Sophos 4.38.0 2009.02.06 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.06 -
TheHacker 6.3.1.5.247 2009.02.05 -
TrendMicro 8.700.0.1004 2009.02.05 -
VBA32 3.12.8.12 2009.02.05 -
ViRobot 2009.2.5.1591 2009.02.05 -
VirusBuster 4.5.11.0 2009.02.06 -

sbacknt.bin by jotti

Quote

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing


Quote

2009-02-05 11:23 . 2009-02-05 11:38 2,204 --a------ c:\windows\evpovqfm

I don't know if this is of any help, but whenever I click Next page on google, or google somthing. Firefox loads stuff from

v1.adwarefeed.com

Thanks for your continued support! I will keep checking in on the hour :D.

-MBFan

#10
Guest_MBfan_*
Posted 06 February 2009 - 01:53 AM

  • Guests
Sorry for the double post.

I just want to point out the the only time I get redirected is when I click google search results. Maybe this helps.

#11
kahdah
Posted 06 February 2009 - 12:41 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Hi it appears that you now have 2 antivirus programs please uninstall Avast or AVG whichever you prefer as it actually lowers your protection to do that.
Plus they will conflict with each other.
==========================
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
c:\documents and settings\All Users\Application Data\~0
c:\windows\evpovqfm

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
After that update Malwarebytes then run another quick scan and remove what it finds then post hat log and the OT MOve it log and an new dds log as well.
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12
Guest_MBfan_*
Posted 06 February 2009 - 12:56 PM

  • Guests
Moveit

Quote

========== FILES ==========
c:\documents and settings\All Users\Application Data\~0 moved successfully.
c:\windows\evpovqfm moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02062009_075019

DDS.txt

Quote

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 7:52:09.51 on Fri 02/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2699 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-2-5 202928]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-17 38496]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]

=============== Created Last 30 ================

2009-02-06 07:50 <DIR> --d----- C:\_OTMoveIt
2009-02-06 07:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
2009-02-06 07:39 <DIR> --d----- c:\program files\G4box
2009-02-05 23:08 685,056 a------- c:\windows\isRS-000.tmp
2009-02-05 21:12 <DIR> --d----- C:\Binaries
2009-02-05 21:09 164 a------- C:\install.dat
2009-02-05 18:04 5,491 a------- C:\dfx.rtf
2009-02-05 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-02-05 15:06 <DIR> --d----- c:\docume~1\owner\applic~1\Sunbelt
2009-02-05 15:04 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-02-05 15:04 <DIR> --d----- c:\program files\Sunbelt Software
2009-02-05 14:26 <DIR> --d----- c:\program files\AVG
2009-02-05 10:33 <DIR> --d----- C:\cmdcons
2009-02-05 10:32 161,792 a------- c:\windows\SWREG.exe
2009-02-05 10:32 98,816 a------- c:\windows\sed.exe
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI

==================== Find3M ====================

2009-02-05 18:01 33,824 a------- c:\windows\system32\drivers\oreans32.sys
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll

============= FINISH: 7:52:52.59 ===============

Malware bytes quick scan was clean.

I am still getting redirected, the google links will sometimes take me to clickfruad, hotjobs, xp-police, etc.

This arouses my attention.

2009-02-06 07:43 88 ---shr-- c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
2009-02-05 23:08 685,056 a------- c:\windows\isRS-000.tmp

I don't know how this stuff comes back, the ONLY site I have been going to is here to check for replies.

Hopefully we can continue the fight!

Thanks a ton

#13
kahdah
Posted 06 February 2009 - 01:02 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
You are welcome I am very stubborn and more stubborn than any malware so I will not be going any where :D
==========================================
Do the redirects happen only in Firefox or both Ie and Firefox?
======================
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys
c:\windows\isRS-000.tmp
C:\install.dat
c:\windows\system32\drivers\oreans32.sys

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
POst a new dds log please and the Ot Move it log.
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14
Guest_MBfan_*
Posted 06 February 2009 - 01:09 PM

  • Guests
Moveit log...

Quote

========== FILES ==========
c:\docume~1\alluse~1\applic~1\A81B14F4A2.sys moved successfully.
File/Folder c:\windows\isRS-000.tmp not found.
C:\install.dat moved successfully.
c:\windows\system32\drivers\oreans32.sys moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02062009_080620

DDS.txt

Quote

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 8:07:02.06 on Fri 02/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2795 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SBAMTray] c:\program files\sunbelt software\vipre\SBAMTray.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229187606882
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229187588901
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ldgoiop.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-2 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-2-6 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-2-5 202928]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-25 10384]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-2-6 69168]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
S3 Engine;Engine;c:\documents and settings\owner\desktop\stripper_v207ht\stripper_v207ht\engine.sys [2009-2-6 36352]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S3 usbsnoop;USB Snoopy Filter Driver;c:\windows\system32\drivers\UsbSnoop.sys [2009-1-2 182200]

=============== Created Last 30 ================

2009-02-06 08:03 69,168 a------- c:\windows\system32\drivers\sbapifs.sys
2009-02-06 08:03 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-02-06 07:50 <DIR> --d----- C:\_OTMoveIt
2009-02-06 07:39 <DIR> --d----- c:\program files\G4box
2009-02-05 21:12 <DIR> --d----- C:\Binaries
2009-02-05 18:04 5,491 a------- C:\dfx.rtf
2009-02-05 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-02-05 15:06 <DIR> --d----- c:\docume~1\owner\applic~1\Sunbelt
2009-02-05 15:04 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-02-05 15:04 <DIR> --d----- c:\program files\Sunbelt Software
2009-02-05 14:26 <DIR> --d----- c:\program files\AVG
2009-02-05 10:33 <DIR> --d----- C:\cmdcons
2009-02-05 10:32 161,792 a------- c:\windows\SWREG.exe
2009-02-05 10:32 98,816 a------- c:\windows\sed.exe
2009-02-04 11:54 250 a------- c:\windows\gmer.ini
2009-02-02 15:09 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-02 15:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-02 14:48 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-02 14:41 <DIR> --d----- c:\program files\common files\Protexis
2009-02-02 14:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-02-02 14:38 <DIR> --d----- c:\program files\common files\Corel
2009-02-02 14:36 <DIR> --d----- c:\program files\Corel
2009-02-02 14:26 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 07:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-02 07:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-01 12:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-01 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-02-01 12:32 <DIR> --d----- c:\program files\VirusTotalUploader
2009-01-31 12:45 <DIR> --d----- c:\docume~1\owner\applic~1\Purple Ghost Software, Inc
2009-01-31 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Purple Ghost Software, Inc
2009-01-31 12:44 <DIR> --d----- c:\program files\Purple Ghost
2009-01-30 17:06 553 a------- c:\windows\USetup.iss
2009-01-30 17:05 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2009-01-30 17:05 1,389,056 a------- c:\windows\system32\drivers\Monfilt.sys
2009-01-30 17:05 1,684,736 a------- c:\windows\system32\drivers\Ambfilt.sys
2009-01-30 17:05 <DIR> --d----- c:\program files\Realtek
2009-01-30 17:05 528,384 a------- c:\windows\RtlExUpd.dll
2009-01-29 14:20 <DIR> --d----- c:\docume~1\owner\applic~1\Teeworlds
2009-01-28 07:54 <DIR> --d----- c:\docume~1\owner\applic~1\Rogue.140F0B534E676AD25491A378BD6D96164D40676E.1
2009-01-28 07:50 <DIR> --d----- c:\program files\Rogue
2009-01-23 15:47 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-01-23 15:47 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-01-23 15:47 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-01-23 15:47 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-01-23 15:47 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-01-23 15:47 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-01-23 15:47 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-01-18 13:50 <DIR> --d----- c:\program files\Visual Assist X
2009-01-18 13:41 <DIR> --d----- c:\program files\Greatis
2009-01-15 14:45 0 a------- c:\windows\system32\drivers\EagleNt.sys
2009-01-15 13:18 3 a------- c:\windows\sbacknt.bin
2009-01-13 08:37 361,600 -c------ c:\windows\system32\dllcache\tcpip.sys
2009-01-13 08:37 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-01-13 08:37 225,856 -c------ c:\windows\system32\dllcache\tcpip6.sys
2009-01-13 08:37 147,968 -c------ c:\windows\system32\dllcache\dnsapi.dll
2009-01-08 02:53 1,733 a------- c:\windows\TSearch.INI

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 22:19 122,771 a------- c:\windows\hpoins14.dat
2009-01-02 18:55 182,200 a------- c:\windows\system32\drivers\UsbSnoop.sys
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-25 23:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-25 18:30 182 a------- c:\docume~1\owner\applic~1\SnapiiHistory.dat
2008-12-13 13:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-13 10:40 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 16:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 16:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 15:45 42,320 a------- c:\windows\system32\xfcodec.dll

============= FINISH: 8:07:36.60 ===============

It seems to only redirect in FF.

Thanks
-MBF

#15
kahdah
Posted 06 February 2009 - 01:19 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#16
Guest_MBfan_*
Posted 06 February 2009 - 01:21 PM

  • Guests
Here is the log.

Quote

GooredFix v1.83 by jpshortstuff
Log created at 08:21 on 06/02/2009 running Option #1 (Owner)
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

It is time for class I will be back at about 10est to check. Thanks!

#17
kahdah
Posted 06 February 2009 - 01:24 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#18
Guest_MBfan_*
Posted 06 February 2009 - 08:11 PM

  • Guests
Attached is the log file. I also ran the cleaner.

Thanks alot!

Attached Files


#19
kahdah
Posted 07 February 2009 - 04:37 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,051 posts
  • Gender:Male
  • Location:Florida
Hi you are welcome, are you familiar with this program?
Love Engine 0.2

Also this file?
cmdow.exe

and this:
DLLDump\DLLDump.exe
If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#20
Guest_MBfan_*
Posted 07 February 2009 - 02:46 PM

  • Guests
I do know what the first one is, and I use it. Have in the past with no issues, I doubt its that.

The second two, no clue what they are.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us