Malwarebytes Forum > Mbam cannot delete mrxdavv.sys (Rootkit.Agent.H)

Full Version: Mbam cannot delete mrxdavv.sys (Rootkit.Agent.H)

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

SDMFdeeger

Nov 7 2008, 01:17 PM

So for awhile now, Mbam has been finding this one problem, saying I have Rootkit.Agent.H in this one file mrxdavv.sys, and it's always unable to delete the file - it says it will on reboot, but it always finds it again when I rescan. When I search for the file myself, it has never existed. There's a file with one V in the file name, but the file it finds always has 2 V's before the .sys extension.
I saw a few other threads that got closed (and never fully solved) in the past with people with similar problems, but I've never seen a solution. Was this ever figured out whether or not it was a false positive?

Malwarebytes' Anti-Malware 1.30
Database version: 1367
Windows 5.1.2600 Service Pack 3

11/7/2008 7:41:10 AM
mbam-log-2008-11-07 (07-41-10).txt

Scan type: Quick Scan
Objects scanned: 65512
Time elapsed: 9 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

Here's a Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 8:16:25 AM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mms.beer.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: Shortcut to Cerberus.exe.lnk = C:\Program Files\Cerberus\Cerberus.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163579087109
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Dakeyras

Nov 7 2008, 09:27 PM

QUOTE

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi SDMFdeegerand welcome to the Malwarebytes Security Forums

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

SDMFdeeger

Nov 8 2008, 12:20 AM

I actually somehow managed to get rid of it - Malwarebytes never finds it. I ran a program called Avenger which finds rootkits, and can delete files - it found no rootkits and couldnt remove the file since it didn't exist (Though it did restart in the middle of checking). Avenger said it didnt' do anything - but then everytime after that, Malwarebytes no longer finds the problem. Not sure why if Avenger didn't do anything - but somehow, the file is gone!

Dakeyras

Nov 8 2008, 01:19 PM

Please bare in mind what I posted in my welcome post:

QUOTE

Absence of symptoms does not mean that everything is clear.

The choice to carry out the below is yours alone. Please let myself know either way, thank you.

Before commencing with any of the below please make sure you are logged into the Computer Administrator account for this machine.

Very Important!

You appear to have no Anti-Virus software installed and running. This is a very unsafe practice when accessing the internet and most likely the cause of your malware problems. Download just one only of the two free anti-virus programs listed below please and Install>> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

Note: If you actually do have a Anti-Virus software installed and it is either been disabled or inactive due to the malware infections present, do not carry out the below and inform myself in your next reply please, thank you.

Next:

Your current version of HijackThis is out of date and currently in a undesirable location. However do not remove the older version for now until I ask please. Reason being any backups present may be required.

Please download the newer version HiJackThis from here.

Now double-click on HJTInstall.exe.
Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
Click the Install button.
Accept the license agreement .
The program will place a shortcut on your desktop. This will make it easier for you to access the tool when required.
Now close the application as we do need to use this yet!

Next:

Please download Random's System Information Tool by random/random from here and save it to your desktop.

Please make sure that RSIT.exe is on the your Desktop before running the application.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Next:

Please download GMER by GMER from here
Unzip it to a folder on your desktop
Double click on gmer.exe to launch GMER
If asked, allow the gmer.sys driver load
If it warns you about rootkit activity and asks if you want to run scan, click OK
If you don't get a warning then
- Click the rootkit tab
- Click Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerrk.txt
Click on the >>> tab
This will open up the rest of the tabs for you
Click on the Autostart tab
Click on Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerautos.txt
Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

When completed the above, please post back the following:

Both RSIT logs.
Both GMER logs.

SDMFdeeger

Nov 8 2008, 07:37 PM

I am going to do this in several steps so I can do one tool at a time. Here is the log.txt and info.txt from RSIT:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Deege at 2008-11-08 14:35:21
Microsoft Windows XP Professional Service Pack 3
System drive C: has 50 GB (38%) free of 131 GB
Total RAM: 1023 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:29 PM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Deege\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Deege.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mms.beer.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to Cerberus.exe.lnk = C:\Program Files\Cerberus\Cerberus.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163579087109
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 6327 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\859B293E9A10D756.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Malwarebytes' Scheduled Scan for Deege.job
C:\WINDOWS\tasks\Malwarebytes' Scheduled Update for Deege.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-06 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-06 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-06 136600]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-22 399504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe [2004-08-10 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
C:\PROGRA~1\AIM\\DeadAIM.ocm [2004-04-10 144896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gkityqda]
C:\Documents and Settings\Deege\My Documents\?ymbols\t?skmgr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-16 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe [2007-03-15 1033800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe [2007-12-18 8720384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2008-01-20 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwPrnMon]
C:\Program Files\Common Files\Sowedoo Shared\Sowedoo PDF Printer V4\SwPrnMon.exe [2005-09-29 548864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-12 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe [2005-02-16 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe [2005-05-04 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2006-11-30 4662776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Cerberus FTP Server.lnk]
C:\Documents and Settings\Deege\Application Data\Microsoft\Installer\{5C635813-A908-4F35-9699-A30F34DCF7A9}\_5D784EEFB0D8F564BDBC41.exe [2007-01-27 90126]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
C:\PROGRA~1\GetRight\getright.exe [2004-03-24 2121728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Shortcut to Cerberus.exe.lnk]
C:\PROGRA~1\Cerberus\Cerberus.exe [2006-09-11 3481600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3
"iPodService"=3
"ZuneNetworkSvc"=3
"iPod Service"=3
"Apple Mobile Device"=2
"WMPNetworkSvc"=3
"usnjsvc"=3
"Adobe LM Service"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe

C:\Documents and Settings\Deege\Start Menu\Programs\Startup
Shortcut to Cerberus.exe.lnk - C:\Program Files\Cerberus\Cerberus.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TMPassthru.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TMPassthru.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Cerberus\Cerberus.exe"="C:\Program Files\Cerberus\Cerberus.exe:*:Enabled:Cerberus FTP Server Application"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\ICQ\Icq.exe"="C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ"
"C:\Program Files\SmartFTP\SmartFTP.exe"="C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Direct Connect\Direct Connect.exe"="C:\Program Files\Direct Connect\Direct Connect.exe:*:Enabled:Direct Connect"
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe"="C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe"="C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe:*:Disabled: "
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe"="C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe:*:Enabled:FTP Transfer Engine"
"C:\Program Files\MySpace\IM\MySpaceIM.exe"="C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\Setup.exe -auto

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-11-08 14:35:20 ----D---- C:\rsit
2008-11-07 17:55:43 ----D---- C:\WINDOWS\LastGood
2008-11-06 10:58:58 ----SHD---- C:\RECYCLER
2008-11-06 02:12:12 ----A---- C:\ComboFix.txt
2008-11-06 01:50:59 ----D---- C:\Program Files\XoftSpySE
2008-11-06 01:42:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-06 00:25:55 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-06 00:25:50 ----D---- C:\Program Files\SUPERAntiSpyware
2008-11-06 00:25:50 ----D---- C:\Documents and Settings\Deege\Application Data\SUPERAntiSpyware.com
2008-11-06 00:25:27 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-06 00:25:27 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-06 00:25:27 ----A---- C:\WINDOWS\system32\java.exe
2008-11-06 00:25:27 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-06 00:14:49 ----D---- C:\Program Files\CCleaner
2008-11-03 02:32:24 ----D---- C:\Program Files\QuickTime Alternative
2008-10-26 02:47:49 ----D---- C:\WINDOWS\temp
2008-10-26 02:11:03 ----D---- C:\Program Files\EsetOnlineScanner
2008-10-26 02:08:52 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-10-26 02:07:09 ----A---- C:\Boot.bak
2008-10-26 02:07:01 ----D---- C:\cmdcons
2008-10-26 02:05:58 ----A---- C:\WINDOWS\zip.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\VFIND.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\SWSC.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\SWREG.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\sed.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\NIRCMD.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\grep.exe
2008-10-26 02:05:58 ----A---- C:\WINDOWS\fdsv.exe
2008-10-26 02:05:54 ----D---- C:\WINDOWS\ERDNT
2008-10-26 02:05:54 ----D---- C:\Qoobox
2008-10-25 19:56:54 ----A---- C:\WINDOWS\system32\TweakUI.exe
2008-10-25 05:08:56 ----D---- C:\Program Files\Sophos
2008-10-25 05:01:02 ----A---- C:\WINDOWS\gmer.ini
2008-10-25 05:00:49 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-10-25 05:00:49 ----A---- C:\WINDOWS\gmer.exe
2008-10-25 05:00:49 ----A---- C:\WINDOWS\gmer.dll
2008-10-18 06:38:30 ----A---- C:\WINDOWS\rinopref.txt
2008-10-16 03:10:12 ----D---- C:\Program Files\coverXP

======List of files/folders modified in the last 1 months======

2008-11-08 14:35:25 ----D---- C:\WINDOWS\Prefetch
2008-11-08 14:34:26 ----D---- C:\Program Files\Trend Micro
2008-11-08 00:36:27 ----D---- C:\Documents and Settings\Deege\Application Data\dvdcss
2008-11-07 17:58:19 ----HD---- C:\WINDOWS\inf
2008-11-07 17:58:19 ----D---- C:\WINDOWS\system32
2008-11-07 17:58:12 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-07 17:58:12 ----D---- C:\WINDOWS
2008-11-07 17:58:10 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-07 17:55:51 ----D---- C:\WINDOWS\Help
2008-11-07 17:55:43 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-07 08:54:24 ----D---- C:\Program Files\Mozilla Firefox
2008-11-07 08:08:14 ----D---- C:\Temp
2008-11-07 08:08:07 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-07 07:53:42 ----D---- C:\Program Files\Google
2008-11-07 07:53:26 ----D---- C:\WINDOWS\system32\drivers
2008-11-07 07:44:41 ----SD---- C:\WINDOWS\Tasks
2008-11-07 07:44:00 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-06 10:59:47 ----RD---- C:\Program Files
2008-11-06 10:59:47 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-06 02:06:43 ----A---- C:\WINDOWS\system.ini
2008-11-06 02:05:06 ----D---- C:\WINDOWS\AppPatch
2008-11-06 02:05:06 ----D---- C:\Program Files\Common Files
2008-11-06 01:40:22 ----D---- C:\WINDOWS\system32\LogFiles
2008-11-06 01:08:22 ----SHD---- C:\WINDOWS\Installer
2008-11-06 01:08:21 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-06 01:08:21 ----D---- C:\Config.Msi
2008-11-06 01:07:58 ----D---- C:\Program Files\Common Files\Adobe
2008-11-06 01:07:43 ----D---- C:\Program Files\Adobe
2008-11-06 00:48:22 ----SHD---- C:\System Volume Information
2008-11-06 00:48:22 ----D---- C:\WINDOWS\system32\Restore
2008-11-06 00:25:28 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-06 00:25:09 ----D---- C:\Program Files\Java
2008-11-06 00:21:58 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 00:21:32 ----D---- C:\Program Files\GetRight
2008-11-06 00:21:32 ----D---- C:\Documents and Settings\Deege\Application Data\ImgBurn
2008-11-06 00:20:42 ----D---- C:\WINDOWS\Debug
2008-11-06 00:20:40 ----D---- C:\WINDOWS\Minidump
2008-11-03 03:17:12 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-11-03 02:56:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-03 02:54:46 ----D---- C:\Program Files\Apple Software Update
2008-11-03 02:36:18 ----D---- C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-11-03 02:32:15 ----D---- C:\Documents and Settings\Deege\Application Data\Apple Computer
2008-10-29 19:47:08 ----D---- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-10-28 04:56:32 ----D---- C:\Program Files\Xara
2008-10-28 04:56:32 ----D---- C:\Program Files\Windows Media Player
2008-10-28 04:56:31 ----D---- C:\Program Files\Windows Media Connect 2
2008-10-28 04:56:31 ----D---- C:\Program Files\Winamp
2008-10-28 04:56:31 ----D---- C:\Program Files\Waves
2008-10-28 04:56:31 ----D---- C:\Program Files\Wal-Mart Music Downloads Store
2008-10-28 04:56:28 ----D---- C:\Program Files\PC Inspector File Recovery
2008-10-28 04:56:27 ----D---- C:\Program Files\Movie Maker
2008-10-28 04:56:21 ----D---- C:\Program Files\Cerberus
2008-10-28 04:56:21 ----D---- C:\Program Files\Bass Chorus
2008-10-28 04:56:21 ----D---- C:\Program Files\AIM
2008-10-28 04:56:20 ----D---- C:\Program Files\DivX
2008-10-28 04:56:19 ----D---- C:\Program Files\Direct Connect
2008-10-28 04:56:18 ----D---- C:\Program Files\Drumagog40
2008-10-28 04:56:17 ----D---- C:\Program Files\Fx ReSound
2008-10-28 04:56:16 ----D---- C:\Program Files\FLAC
2008-10-28 04:56:14 ----D---- C:\Program Files\Kazaa Lite Revolution
2008-10-28 04:56:13 ----D---- C:\Program Files\MicModDX
2008-10-28 04:56:13 ----D---- C:\Program Files\Messenger
2008-10-28 04:56:13 ----D---- C:\Program Files\LiveUpdate
2008-10-28 04:56:13 ----D---- C:\Program Files\LimeWire
2008-10-28 04:56:12 ----D---- C:\Program Files\mobile PhoneTools
2008-10-28 04:56:12 ----D---- C:\Program Files\MKVtoolnix
2008-10-28 04:56:12 ----D---- C:\Program Files\ICQ
2008-10-28 04:56:09 ----AD---- C:\Program Files\ACM
2008-10-26 02:36:02 ----D---- C:\WINDOWS\system32\config
2008-10-26 02:07:09 ----RASH---- C:\boot.ini
2008-10-25 04:20:03 ----D---- C:\Program Files\Soulseek
2008-10-25 02:00:25 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-21 15:24:35 ----A---- C:\WINDOWS\win.ini
2008-10-18 01:13:17 ----D---- C:\Documents and Settings\Deege\Application Data\Vso
2008-10-17 03:03:08 ----D---- C:\Program Files\mIRC
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-10-16 14:13:40 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-10-16 14:12:22 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-10-16 14:12:20 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-10-16 14:09:44 ----A---- C:\WINDOWS\system32\cdm.dll
2008-10-16 14:09:40 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
2008-10-16 14:07:44 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2008-10-16 14:07:14 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\muweb.dll
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2008-10-16 14:06:48 ----A---- C:\WINDOWS\system32\mucltui.dll
2008-10-16 02:46:19 ----D---- C:\Program Files\Internet Explorer
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-09 22:16:58 ----D---- C:\My Music

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-01-29 16168]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-01-20 33292]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2005-11-21 16512]
R2 BT848;WinFast TV2000 XP WDM Video Capture; C:\WINDOWS\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner; C:\WINDOWS\system32\drivers\wf2ktunr.sys [2004-10-04 36423]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar; C:\WINDOWS\system32\drivers\wf2kxbar.sys [2004-10-04 10005]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ews88mt;EWS88 WDM Audio; C:\WINDOWS\system32\drivers\ews88wdm.sys [2002-06-13 149256]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-05 47360]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;VIA AC'97 Enhanced Audio Controller (WDM); C:\WINDOWS\system32\drivers\viaudio.sys [2001-09-10 42880]
R3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINDOWS\System32\Drivers\vulfnth.sys [2002-10-24 6912]
R3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINDOWS\System32\Drivers\vulfntr.sys [2003-05-24 11392]
S1 HWIONT;HWIONT; \??\C:\DOCUME~1\Deege\LOCALS~1\Temp\Rar$EX00.016\HWIONT.sys []
S1 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Sandra.sys []
S1 TMPassthruMP;TMPassthruMP; C:\WINDOWS\system32\DRIVERS\TMPassthru.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 DSDrv4;DSDrv4; \??\C:\PROGRA~1\DScaler\DSDrv4.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-10-25 85969]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\5.tmp []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 pae_1394;pae_1394; C:\WINDOWS\System32\Drivers\pae_1394.sys [2005-06-09 111616]
S3 pae_avs;pae_avs; C:\WINDOWS\System32\Drivers\pae_avs.sys [2005-06-09 27136]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbbus;LGE CDMA Composite USB Device; C:\WINDOWS\system32\DRIVERS\lgusbbus.sys [2007-04-09 12672]
S3 UsbDiag;LGE CDMA USB Serial Port; C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys [2007-04-09 21248]
S3 USBModem;LGE CDMA USB Modem; C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys [2007-04-09 22912]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WFIOCTL;WFIOCTL; \??\C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-06 152984]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS\system32\spupdsvc.exe [2007-08-10 26488]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S4 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-02-15 72704]
S4 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
S4 BNNQWP;BNNQWP; C:\DOCUME~1\Deege\LOCALS~1\Temp\BNNQWP.exe [2008-11-06 498560]
S4 BTDZ;BTDZ; C:\DOCUME~1\Deege\LOCALS~1\Temp\BTDZ.exe []
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 KService;KService; C:\Program Files\Kontiki\KService.exe [2007-03-15 3069512]
S4 NFSTE;NFSTE; C:\DOCUME~1\Deege\LOCALS~1\Temp\NFSTE.exe []
S4 QBQKRDDKN;QBQKRDDKN; C:\DOCUME~1\Deege\LOCALS~1\Temp\QBQKRDDKN.exe []
S4 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2004-10-29 86016]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.04 2008-11-08 14:35:32

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ac3Tool (remove only)-->"C:\Program Files\BlackSunSoft.net\Ac3Tool\uninstall-Ac3Tool.EXE"
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Audition 1.0-->MsiExec.exe /I{81E76DE9-BBCB-449C-91BB-6E4E5436D496}
Adobe Audition 2.0-->msiexec /I {01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}
Adobe Audition 3.0-->msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}
Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Ahead Nero Burning ROM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
AMP Font Viewer-->"C:\Program Files\AMP Font Viewer\uninstall.exe"
AmpegSVX-->C:\Program Files\InstallShield Installation Information\{CF1D7323-8A0A-49C7-83B0-088DB90721E2}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
AmpliTube2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB6691DA-66D3-412E-9853-641CF7D0C35A}\Setup.exe" -l0x9 uninstall
Antares Autotune DX v4.12-->C:\PROGRA~1\Antares\AUTOTU~1\ANTARE~1\UNWISE.EXE C:\PROGRA~1\Antares\AUTOTU~1\ANTARE~1\INSTALL.LOG
Antares Microphone Modeler 1.31 DirectX-->C:\PROGRA~1\MicModDX\UNWISE.EXE C:\PROGRA~1\MicModDX\INSTALL.LOG
AOL HI-Q Video-->C:\Program Files\Kontiki\HiQUninstaller.exe
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support-->MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Axialis AX CDPlayer 2.6-->C:\Program Files\Axialis\AXCDPlayer\UnInstall.exe "AXCDPlayer" "AXCDPlay.exe"
BadCopy Pro-->C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
BBE Sonic Maximizer Plugin-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BBE\BBE Sonic Maximizer Plugin\Uninst.isu"
BitTornado 0.3.17-->C:\Program Files\BitTornado\uninst.exe
Canon IXY 300a, PowerShot S330, IXUS 330 WIA Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EC801A21-7DDA-4730-ADCF-ADD403C405A7}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDex extraction audio-->"C:\Program Files\CDex_150\uninstall.exe"
Cerberus FTP Server-->MsiExec.exe /I{5C635813-A908-4F35-9699-A30F34DCF7A9}
Cool Edit Pro 2.0-->C:\Program Files\coolpro2\cep2unin.exe
CoreFLAC Audio Decoder+Source Filter (remove only)-->"C:\WINDOWS\system32\CoreFLACDecoder-uninstall.exe"
Corel Business Applications-->E:\Corel\AppMan\Setup\remove.exe
Corel Paint Shop Pro X-->MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
coverXP (remove only)-->"C:\Program Files\coverXP\cxp-uninst.exe"
CuteFTP 8 Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9
DeadAIM-->MsiExec.exe /I{0F8F3415-CB0A-49A6-A23A-D8390444B127}
Digital Media Converter 2.57-->"C:\Program Files\Deskshare\Digital Media Converter\unins000.exe"
Direct Connect 2.0-->C:\WINDOWS\iun6002.exe "C:\Program Files\Direct Connect\irunin.ini"
DiscWizard for Windows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe"
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Drumagog 4-->C:\WINDOWS\iun6002.exe "C:\Program Files\Drumagog40\irunin.ini"
DScaler 4.1.10-->"C:\Program Files\DScaler\unins000.exe"
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Flick-->"C:\Program Files\DVD Flick\unins000.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.6.0-->"C:\Program Files\DVDFab 5\unins000.exe"
DVDFab Platinum 3.0.5.0-->"C:\Program Files\DVDFab Platinum 3\unins000.exe"
Easy AVI/VCD/DVD/MPEG Converter-->"C:\Program Files\Easy AVI VCD DVD MPEG Converter\unins000.exe"
EasyRecovery Professional-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{268723B7-A994-4286-9F85-B974D5CAFC7B} /l1033
eMule-->"C:\Program Files\eMule\Uninstall.exe"
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
EWS88 MT/D ControlPanel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70FED6A0-574B-11D4-8398-0800096F616B}\Setup.exe" -uninst
EZdrummer-->MsiExec.exe /I{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}
FLAC Installer 1.1.3b (remove only)-->C:\Program Files\FLAC\uninstall.exe
FontFrenzy-->MsiExec.exe /X{A52ACD6B-238E-44C8-90B5-C57BA8926C57}
Fx ReSound-->C:\PROGRA~1\FXRESO~1\UNWISE.EXE C:\PROGRA~1\FXRESO~1\INSTALL.LOG
GetRight-->C:\Program Files\GetRight\GETRIGHT.EXE /UNINSTALL
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HxD Hex Editor version 1.7.6.3-->"C:\Program Files\HxD\unins000.exe"
ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
ieSpell 2.2.0 (build 647)-->"C:\Program Files\ieSpell\uninst.exe"
IK Multimedia Amplitube DX/VST/RTAS v2.0-->C:\PROGRA~1\IKMULT~1\AMPLIT~1\UNWISE.EXE C:\PROGRA~1\IKMULT~1\AMPLIT~1\INSTALL.LOG
ImgBurn (Remove Only)-->"C:\Program Files\ImgBurn\uninstall.exe"
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVR 3-->"C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL
IsoBuster 2.0-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes-->MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
iZotope Ozone DX v2.0.1-->C:\PROGRA~1\iZotope\OzoneDX2\UNWISE.EXE C:\PROGRA~1\iZotope\OzoneDX2\INSTALL.LOG
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kazaa Lite Revolution 2.6 English-->"C:\Program Files\Kazaa Lite Revolution\unins000.exe"
K-Lite Codec Pack 4.1.7 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LimeWire PRO 4.10.0-->"C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate BVRP Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Macromedia Dreamweaver MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash MX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaPortal-->MsiExec.exe /I{E95FD367-B0A7-420B-A95A-E8888D3C0C99}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
MKVtoolnix 2.2.0-->C:\Program Files\MKVtoolnix\uninst.exe
mobile PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
Motorola Handset USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44B3522B-195C-488D-84AC-9526FA99CB73}\Setup.exe"
Move Networks Player for Internet Explorer-->"C:\Documents and Settings\Deege\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (2.0.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mpeg2Decoder 1.1-->"C:\Program Files\Mpeg2Decoder\unins000.exe"
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Netscape (7.1)-->C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Nomad Factory Rock Amp Legends VST v1.0-->C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\NOMADF~1\INSTALL.LOG
Paint Shop Pro 7 Try And Buy-->MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PayPal Plug-In-->C:\Program Files\InstallShield Installation Information\{73317C31-2B6E-4B88-9865-B97C1331A39D}\setup.exe -runfromtemp -l0x0009 -removeonly
PC Inspector File Recovery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
PE Builder 3.1.10-->"c:\pebuilder3110a\unins000.exe"
PHASE 88 ControlPanel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FEF82C7B-A738-4EE2-9600-39895B21506F}\setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PreSonus 1394 Audio Driver V2.14.25 (FIREPOD)-->C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\uninst.exe Software\PreSonus\1394AudioDriver_FIREPOD\Setup
PrimoPDF Redistribution Package-->MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
PrimoPDF-->"C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PSP VintageWarmer 2.0.0-->"C:\Program Files\PSPaudioware\PSP VintageWarmer 2.0.0\uninstall.exe" "/U:C:\Program Files\PSPaudioware\PSP VintageWarmer 2.0.0\irunin.xml"
QuickTime Alternative 2.7.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
RapidLeecher-->MsiExec.exe /I{B3940EA5-7872-487E-AF15-CF20DBD65F1B}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Renamer (remove only)-->"C:\Program Files\Renamer\UnInstall.exe"
ReValver-->C:\Audio\ReValver\UNWISE.EXE C:\Audio\ReValver\INSTALL.LOG
RichFX Player-->RunDll32 C:\PROGRA~1\COMMON~1\RichFX\npvpg004.dll,Uninstall_Player
Riva FLV Encoder 2.0-->"C:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
Riva Producer Lite-->"C:\Program Files\Riva\Riva Producer Lite\unins000.exe"
River Past Audio Converter-->C:\WINDOWS\Audio Converter Uninstaller.exe
SeaTools for Windows-->MsiExec.exe /I{98613C99-1399-416C-A07C-1EE1C585D872}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SmartFTP-->MsiExec.exe /I{11C762F9-95EA-486A-A8E7-683A50C231C1}
Sophos Anti-Rootkit 1.3.1-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove
Sothink SWF Decompiler-->"C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
Soulseek Client 152-->C:\WINDOWS\UnGins.exe "C:\Program Files\Soulseek\install.log"
SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"
Sowedoo Easy PDF Converter 6.0-->MsiExec.exe /I{91C6161E-1F6E-4907-B37A-27D520BDC070}
SpinAudio VSTDX Wrapper 1.0 Demo-->C:\Program Files\Spin Audio\VSTDX Wrapper\wruninst.exe
SpinAudio VST-DX Wrapper Lite-->C:\Program Files\Spin Audio\VSTDX Wrapper Lite\wluninst.exe
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins001.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Steinberg Cubase LE-->"C:\Program Files\Steinberg\Cubase LE\Uninstall.exe" "C:\Program Files\Steinberg\Cubase LE\Install.log"
Steinberg Freefilter v1.2-->C:\PROGRA~1\SPECTR~1\FREEFI~1\UNWISE.EXE C:\PROGRA~1\SPECTR~1\FREEFI~1\INSTALL.LOG
Streambox Vcr Suite 2-->"C:\Program Files\StreamboxVcrSuite2\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SurfOffline (remove only)-->"C:\Program Files\SurfOffline\uninstall.exe"
The FilmMachine 1.5.4-->"C:\Program Files\The FilmMachine\unins000.exe"
TMPGEnc 4.0 XPress-->MsiExec.exe /I{FC5495CB-CDA5-4DCE-99DF-D1567DAF5A86}
T-RackS 24 Demo-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IK Multimedia\T-RackS 24 Demo\Uninst.isu"
T-RackS 24 v2.0.1-->C:\Audio\IKMULT~1\T-RACK~1\UNWISE.EXE C:\Audio\IKMULT~1\T-RACK~1\INSTALL.LOG
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Ulead Straight-to-Disc SDK-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D2C1E44-7685-4D05-8342-B0DC6422FA47}\Setup.exe" -l0x9
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
URL Snooper v2.03.08-->"C:\Program Files\URLSnooper2\unins000.exe"
V CAST Music Manager -->C:\PROGRA~1\VERIZO~1\VCASTM~1\Setup.exe /remove /q0
VB:FFX-4 Rack-->C:\Program Files\VB\FFX4\uninst.exe C:\Program Files\VB\FFX4
VideoLAN VLC media player 0.8.2-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VOB2MPG 2.3-->MsiExec.exe /I{78EFA95D-3310-4035-815B-A46BA4D0C6FA}
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
Wal-Mart Music Downloads Store-->MsiExec.exe /I{DC9E2F1C-CC14-41B0-AFF5-2AFE87B76A1F}
Warp VST V1.0-->C:\WARPVS~1.0\UNWISE.EXE C:\WARPVS~1.0\INSTALL.LOG
Waves Diamond Bundle v5.0-->C:\PROGRA~1\Waves\UNINST~1\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~1\INSTALL.LOG
Waves Vocal Bundle v1.1-->C:\PROGRA~1\Waves\AIRLOG~1\WAVESV~1\UNWISE.EXE C:\PROGRA~1\Waves\AIRLOG~1\WAVESV~1\INSTALL.LOG
Web Album Generator 1.6.5-->"C:\Program Files\Web Album Generator\unins000.exe"
Web Image Guru, version 5.5.7-->C:\PROGRA~1\VIMAS\WEBIMA~1\UNWISE.EXE C:\PROGRA~1\VIMAS\WEBIMA~1\INSTALL.LOG
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
WinAVIVideoConverter-->"C:\Program Files\WinAVIVideoConverter\unins000.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Support Tools-->MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
Windows Vista Upgrade Advisor-->MsiExec.exe /I{B79FBFDD-8B0C-4B8E-B70E-499E39978281}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinFast Entertainment Center(WDM Driver)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE4AA694-815A-4045-BD49-C94F2BED7458}\setup.exe"
WinFast PVR-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C882DE6B-1482-42D6-A7C2-A9F946EDBAF6}\setup.exe"
WinFast TV USB II(Driver)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F3D1B82-82EE-410B-8BD3-38671F6B64F8}\Setup.exe" -l0x9 -removeonly
WinPcap 3.1 beta4-->"C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xara Dreamweaver Extension 1.03-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4498655A-94A6-4F12-929B-D8D6DCA5E0AF}\setup.exe" -l0x9
Xara Menu Maker 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{123D74B2-4F4F-4056-8313-5F1C9FEE332E}\setup.exe"
Xara Webstyle 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1656A3E-2744-48B2-95EA-52C4A316551B}\setup.exe" -l0x9
Yahoo! Internet Mail-->C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Print-at-Home Tool-->C:\WINDOWS\unins000.exe

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Support Tools;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

SDMFdeeger

Nov 8 2008, 07:46 PM

GMER does not warn me of rootkit activity - however, after a minute or two into the rootkit scan, my computer automatically restarts itself with no warning. I tried it twice - the 2nd time it restarted right around the time it was scanning the /devices/

Dakeyras

Nov 8 2008, 10:08 PM

QUOTE (SDMFdeeger @ Nov 8 2008, 07:46 PM)

Ok I will address this issue in my next post, in the meantime please refrain from running any self fixes and or installing any security related applications please. As this will actually hinder the malware removal process, thank you.

Also you appear to have several P2P applications installed, please refrain form using these please for this reason:

QUOTE

P2P may be a great way to get lots of stuff, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

In the meantime please carry out one of my prior instructions as this is very necessary!

QUOTE (Dakeyras @ Nov 8 2008, 01:19 PM)

Note: If you actually do have a Anti-Virus software installed and it is either been disabled or inactive due to the malware infections present, do not carry out the below and inform myself in your next reply please, thank you.

Please bare in mind the fact I am unavailable all day Sunday and I will post back with the next course of action this coming Monday, thank you.

Dakeyras

Nov 10 2008, 12:55 PM

Some advice about the recently installed application SUPERAntiSpyware:

CAUTION: SuperAntiSpyware comes with a program called Bootsafe, do not for any reason use this program, if used on an infected computer it could render it UNBOOTABLE.

Next:

Since you have recently run the application ComboFix, I would like to view the log produced please, it can be located here:

Using Windows Explorer (to get there right-click your Start button and go to "Explore")

C:\ComboFix.txt

When completed the above, please post back the following:

ComboFix.txt
A new HijackThis Log

SDMFdeeger

Nov 10 2008, 01:13 PM

ComboFix 08-11-05.02 - Deege 2008-11-06 2:02:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639 [GMT -5:00]
Running from: c:\documents and settings\Deege\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-06 01:50 . 2008-11-06 01:55 <DIR> d-------- c:\program files\XoftSpySE
2008-11-06 01:38 . 2008-11-06 01:38 <DIR> d-------- c:\windows\system32\drivers\moved
2008-11-06 00:25 . 2008-11-06 00:25 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-06 00:25 . 2008-11-06 00:25 <DIR> d-------- c:\documents and settings\Deege\Application Data\SUPERAntiSpyware.com
2008-11-06 00:25 . 2008-11-06 00:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-06 00:25 . 2008-11-06 00:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-06 00:14 . 2008-11-06 00:14 <DIR> d-------- c:\program files\CCleaner
2008-11-06 00:04 . 2008-11-06 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-03 03:17 . 2008-09-06 15:09 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-03 03:17 . 2008-09-06 15:09 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-11-03 02:32 . 2008-11-03 03:17 <DIR> d-------- c:\program files\QuickTime Alternative
2008-10-26 02:11 . 2008-10-26 02:19 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-10-26 02:08 . 2008-10-26 02:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-10-25 19:56 . 2003-06-25 15:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2008-10-25 19:56 . 2002-06-21 14:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2008-10-25 19:42 . 2008-10-25 19:42 <DIR> d-------- c:\documents and settings\Administrator.DEEGER\Application Data\Malwarebytes
2008-10-25 19:34 . 2008-10-25 19:34 0 --a------ c:\windows\system32\SEF
2008-10-25 05:08 . 2008-10-25 05:08 <DIR> d-------- c:\program files\Sophos
2008-10-25 05:01 . 2008-10-25 19:51 250 --a------ c:\windows\gmer.ini
2008-10-24 04:25 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 18:42 . 2008-10-21 18:42 0 --a------ c:\windows\system32\CIYZYF
2008-10-21 18:39 . 2008-10-21 18:39 0 --a------ c:\windows\system32\ERRYNGLEYNC
2008-10-21 10:54 . 2008-10-21 15:43 7 --a------ c:\windows\system32\axt.bin
2008-10-21 10:34 . 2008-10-21 10:34 8,576 --a------ c:\windows\system32\drivers\TMPassthru.sys
2008-10-21 10:34 . 2008-10-21 10:34 664 --a------ c:\windows\system32\adr95.bin
2008-10-16 03:10 . 2008-10-16 03:10 <DIR> d-------- c:\program files\coverXP
2008-10-15 20:51 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 20:50 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 20:50 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 20:50 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 20:50 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 20:50 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 06:07 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 06:06 --------- d-----w c:\program files\Google
2008-11-06 05:25 --------- d-----w c:\program files\Java
2008-11-06 05:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-06 05:21 --------- d-----w c:\program files\GetRight
2008-11-06 05:21 --------- d-----w c:\documents and settings\Deege\Application Data\ImgBurn
2008-11-06 05:21 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 05:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-05 07:13 --------- d-----w c:\documents and settings\Deege\Application Data\dvdcss
2008-11-03 08:17 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-03 07:54 --------- d-----w c:\program files\Apple Software Update
2008-11-03 07:36 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-11-03 07:32 --------- d-----w c:\documents and settings\Deege\Application Data\Apple Computer
2008-10-30 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-25 09:56 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-25 09:20 --------- d-----w c:\program files\Soulseek
2008-10-22 20:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 20:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 06:13 --------- d-----w c:\documents and settings\Deege\Application Data\Vso
2008-10-17 08:03 --------- d-----w c:\program files\mIRC
2008-10-05 06:54 --------- d-----w c:\program files\DVDFab 5
2008-10-05 06:47 --------- d-----w c:\program files\DVDFab Platinum 3
2008-10-05 06:46 87,608 ----a-w c:\documents and settings\Deege\Application Data\ezpinst.exe
2008-10-05 06:46 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-05 06:46 47,360 ----a-w c:\documents and settings\Deege\Application Data\pcouffin.sys
2008-10-04 21:08 --------- d-----w c:\documents and settings\Deege\Application Data\DVD Flick
2008-09-29 06:44 --------- d-----w c:\program files\MSN Messenger
2008-09-29 05:37 --------- d-----w c:\documents and settings\Deege\Application Data\Media Player Classic
2008-09-17 05:47 --------- d-----w c:\program files\Common Files\Ahead
2008-09-17 05:47 --------- d-----w c:\program files\Ahead
2008-09-17 05:29 --------- d-----w c:\documents and settings\All Users\Application Data\zozqrebg
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 02:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-14 12:21 --------- d-----w c:\program files\Trend Micro
2008-09-14 12:12 --------- d-----w c:\program files\FTP Explorer
2008-09-14 11:55 --------- d-----w c:\documents and settings\Deege\Application Data\GlobalSCAPE
2008-09-14 11:53 --------- d-----w c:\program files\GlobalSCAPE
2008-09-14 08:18 --------- d-----w c:\program files\SmartFTP Client 2.0 Setup Files
2008-09-13 08:00 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-09-13 01:56 --------- d-----w c:\documents and settings\Deege\Application Data\Malwarebytes
2008-09-13 01:56 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-13 00:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2005-12-14 06:13 36 ----a-w c:\documents and settings\Deege\klextlock.dat
2002-04-16 15:26 333 ----a-w c:\program files\about
2002-04-16 14:35 195,072 ----a-w c:\program files\lame.exe
2002-04-16 14:35 145,920 ----a-w c:\program files\lame_enc.dll
2002-01-22 05:24 25,632 ----a-w c:\program files\USAGE
2002-01-22 05:19 1,801 ----a-w c:\program files\README
2001-02-05 10:56 707 ----a-w c:\program files\LICENSE
2000-03-08 12:37 30 ----a-w c:\program files\FILE_ID.DIZ
1999-11-24 17:40 25,292 ----a-w c:\program files\COPYING
2008-06-21 06:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062120080622\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-26_ 3.46.52.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\ARPPRODUCTICON.exe
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2008-11-06 06:06:45 26,694 ----a-r c:\windows\Installer\{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2008-11-03 07:53:13 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-11-06 06:08:20 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-11-06 05:25:53 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-11-06 05:25:53 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2000-08-31 12:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2007-09-25 03:30:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-06 05:25:12 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-06 05:25:12 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-06 05:25:12 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-06-21 06:20:32 63,528 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-03 07:56:14 63,528 ----a-w c:\windows\system32\perfc009.dat
- 2008-06-21 06:20:32 406,328 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-03 07:56:14 406,328 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-06 06:42:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\Deege\Start Menu\Programs\Startup\
Shortcut to Cerberus.exe.lnk - c:\program files\Cerberus\Cerberus.exe [2006-09-11 3481600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
FirePod Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2007-03-09 1069056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TMPassthru.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Deege\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Cerberus FTP Server.lnk]
path=c:\documents and settings\Deege\Start Menu\Programs\Startup\Cerberus FTP Server.lnk
backup=c:\windows\pss\Cerberus FTP Server.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=c:\documents and settings\Deege\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=c:\windows\pss\GetRight - Tray Icon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Deege^Start Menu^Programs^Startup^Shortcut to Cerberus.exe.lnk]
path=c:\documents and settings\Deege\Start Menu\Programs\Startup\Shortcut to Cerberus.exe.lnk
backup=c:\windows\pss\Shortcut to Cerberus.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gkityqda]
c:\documents and settings\Deege\My Documents\?ymbols\t?skmgr.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 10:37 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2004-04-10 22:51 144896 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-03-15 14:57 1033800 c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 20:47 8720384 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 02:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 02:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwPrnMon]
-ra------ 2005-09-29 14:20 548864 c:\program files\Common Files\Sowedoo Shared\Sowedoo PDF Printer V4\SwPrnMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-12 04:23 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2005-02-16 23:03 106496 c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2005-05-04 16:51 282624 c:\program files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"iPodService"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Cerberus\\Cerberus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Direct Connect\\Direct Connect.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Team MediaPortal\\MediaPortal\\MediaPortal.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-10-21 8576]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-11-06 152984]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-10-04 36423]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2004-10-04 10005]
R3 ews88mt;EWS88 WDM Audio;c:\windows\system32\drivers\ews88wdm.sys [2002-06-13 149256]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\5.tmp [ ]
S3 pae_1394;pae_1394;c:\windows\system32\Drivers\pae_1394.sys [2005-06-09 111616]
S3 pae_avs;pae_avs;c:\windows\system32\Drivers\pae_avs.sys [2005-06-09 27136]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 9446]
S4 BTDZ;BTDZ;c:\docume~1\Deege\LOCALS~1\Temp\BTDZ.exe [ ]
S4 NFSTE;NFSTE;c:\docume~1\Deege\LOCALS~1\Temp\NFSTE.exe [ ]
S4 QBQKRDDKN;QBQKRDDKN;c:\docume~1\Deege\LOCALS~1\Temp\QBQKRDDKN.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe -auto
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\859B293E9A10D756.job
- c:\docume~1\deege\applic~1\2comp~1\roam vc mfcd.exe []

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Deege\Application Data\Mozilla\Firefox\Profiles\8kqe0byr.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 02:06:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
Completion time: 2008-11-06 2:12:10
ComboFix-quarantined-files.txt 2008-11-06 07:11:08
ComboFix2.txt 2008-10-26 07:47:48

Pre-Run: 53,312,679,936 bytes free
Post-Run: 53,318,746,112 bytes free

279 --- E O F --- 2008-10-25 07:01:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:08 AM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mms.beer.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to Cerberus.exe.lnk = C:\Program Files\Cerberus\Cerberus.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163579087109
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ZKMP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Deege\LOCALS~1\Temp\ZKMP.exe

--
End of file - 6491 bytes

Dakeyras

Nov 10 2008, 09:27 PM

Could you explain please as too the reason no Anti-Virus software has been installed. Is this due to your own choice and or some problem installing the aforementioned?

Next:

Before commencing with any of the below please make sure you are logged into the Computer Administrator account for this machine.

Your Adobe Reader is out of date:

Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9 to your PC's desktop.

Uninstall Adobe Reader 8.1.2 via Start > Control Panel > Add/Remove Programs
Install the new downloaded updated software.

Note: Adobe (Acrobat) 9 is a large program and if you prefer a smaller program you can get Foxit 2.3 instead.

Next:

You have a old version of Java presently installed. Older versions may have vulnerabilities that malware can use to infect your system. Removing this will not affect your current up to date version.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Java™ 6 Update 3

Next:

Since you already have the ESET Online Scanner installed please carry out the following:

Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

When completed the above, please post back the following:

Eset log.
A new HijackThis Log.

SDMFdeeger

Nov 11 2008, 02:08 PM

I don't have any antivirus programs installed, because quite frankly, they bug me. They usually tend to slow down my computer and bother me more than viruses do LOL (But I do use online scanners very frequently), not to mention Malwarebytes, Spybot, Adaware, etc.

I will run these scanners and post these logs in a few mins.

SDMFdeeger

Nov 11 2008, 03:44 PM

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3602 (20081111)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=aa1c40cf4095634183a71abf3849a6c6
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-11 03:37:31
# local_time=2008-11-11 10:37:31 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=462888
# found=7
# scan_time=5040
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe Win32/Adware.UCmore application C86B34078C12A472F5C1933EEA714B7A
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe »NSIS »UCmoreIEx.EXE Win32/Adware.UCmore application 00000000000000000000000000000000
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe »NSIS »UCmoreIEx.EXE »WISE »IUCmore.dll Win32/Adware.UCmore application 00000000000000000000000000000000
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe »NSIS »UCmoreIEx.EXE »WISE »IUCmore.dll Win32/Adware.UCmore application 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application E0D92AC5FDD264E4ED40D45C75934F1B
C:\Program Files\AIM\Sysfiles\WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\moved\TMPassthru.sys a variant of Win32/Spy.Goldun.NDP trojan 237116535DE1CAC8B8BBD4F54F1082E4

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:42 AM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mms.beer.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to Cerberus.exe.lnk = C:\Program Files\Cerberus\Cerberus.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163579087109
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ZKMP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Deege\LOCALS~1\Temp\ZKMP.exe

--
End of file - 6701 bytes

SDMFdeeger

Nov 11 2008, 03:47 PM

The reason that this file below is in the directory /moved/ is because I moved 3 files that I suspected may be re-creating problem files into that directory.

C:\WINDOWS\system32\drivers\moved\TMPassthru.sys

Dakeyras

Nov 12 2008, 07:15 PM

QUOTE

It really is not a good idea not to install a Anti-Virus application and just relying on the various on-line scanners as these for the most part merely highlight a infection and do not remove malware.

QUOTE

Anti-Virus or Anti-Virus Software, this type of software utility is designed to protect a stand alone computer or within a networked environment against computer virus vulnerabilities, if access to the Internet (world wide web) is in use.
Viruses are constantly being evolved by spurious types to attack, mimic and take advantage of flaws in operating systems with out adequate updated security patches and or a updated frequently used protection utility.
If and when a virus is detected the computer will prompt the user for a course of action to be taken, depending on the type of software utility installed/in use.

Since re-infection under your present conditions is a certainty, when you need help again due to running P2P programs and/or no AntiVirus, you may be refused help. You really need to be ready to Reformat and Re-install Windows.

I am only posting this with a interest to both your own and systems online safety.

Before commencing with any of the below please make sure you are logged into the Computer Administrator account for this machine.

Please download OTMoveIT3 to your Desktop.

Double-click OTMoveIt3.exe to start the program.
Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):

CODE

:processes
explorer.exe

:Files
C:\WINDOWS\system32\drivers\moved\TMPassthru.sys
C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe

:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
Then click the red MoveIt! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Close OTMoveIt3.

When completed the above, please post back the following:

Inform myself how your computer is running.
OTMoveIt3 Log.
A new HijackThis Log.

SDMFdeeger

Nov 13 2008, 12:20 AM

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\drivers\moved\TMPassthru.sys moved successfully.
C:\Program Files\AIM\Sysfiles\WxBug.EXE moved successfully.
C:\Documents and Settings\Deege\Desktop\Deege's Stuff\Programs\overnet0.52.exe moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_798.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11122008_191256

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_798.dat not found!

SDMFdeeger

Nov 13 2008, 12:20 AM

Also, when I started internet explorer, it gave me some warning saying that the system had recovered from a serious error (probably had to do with the attempted delete of that index.dat file maybe?

SDMFdeeger

Nov 13 2008, 12:22 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:12 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mms.beer.com/
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\DEEGE\\APPLICATION DATA\\Mozilla\\Profiles\\default\\ivskorpv.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Deege\\Desktop");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage", "http://home.netscape.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", true);
user_pref("editor.history_title_0", "www.SDMFworldwide.com ~ View topic - T
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to Cerberus.exe.lnk = C:\Program Files\Cerberus\Cerberus.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163579087109
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: ZKMP - Unknown owner - C:\DOCUME~1\Deege\LOCALS~1\Temp\ZKMP.exe (file missing)

--
End of file - 6690 bytes

SDMFdeeger

Nov 13 2008, 12:30 AM

My computer does seem to be running faster than it has in awhile - could be my imagination though lol

Dakeyras

Nov 13 2008, 12:34 PM

QUOTE

Also, when I started internet explorer, it gave me some warning saying that the system had recovered from a serious error (probably had to do with the attempted delete of that index.dat file maybe?

That is fine.

QUOTE

My computer does seem to be running faster than it has in awhile - could be my imagination though lol

Good

Congratulations your computer appears to be malware free!

I just have a few clean up process's for your good self to carry out and advice about security and on-line safety etc.

Reset the system restore points:

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start >> All Programs >> Accessories >> System Tools >> System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:

Next click Start >> Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Clean up with OTMoveIt3

Double-click OTMoveIt3.exe to start the program.
Close all other programs apart from OTMoveIt2 as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

Next:

There is no sign of a software firewall installed on your system. Regardless if using a hardware type and or using the inbuilt Windows Service Pack 3 firewall this is a necessary application as it will also provide outbound protection where as the aforementioned do not..

I highly advise you download ONE of the following firewalls and install it. Restart the computer for changes to take effect.

Very Important!:

You appear to have no Anti-Virus software installed and running. This is a very unsafe practice when accessing the internet and most likely the cause of your malware problems. Download just one only of the two free anti-virus programs listed below please and Install>> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

Next:

This article is a excellent resource regarding the aforementioned firewalls: Understanding and Using Firewalls

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Keep your system updated:

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

Alternatively, you can visit the link below to update Windows:

Windows Update

Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly:

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Make your Internet Explorer safer:

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Avoid Peer to Peer software:

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Prevent a re-infection:

Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Bluetack's Hosts File
Bluetack's Host Manager
hpHosts.

Only use one of the above.

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.