Malwarebytes Forum > Please Help! MWB, Hijack This and ComboFix won't run..

Full Version: Please Help! MWB, Hijack This and ComboFix won't run..

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

SIR CHEECH

Aug 11 2009, 09:32 PM

Hi,

I really appreciate any help or guidance you might be able to give me in regards to my infected computer. I cannot get MWB to run or update, nor will Hijack This or ComboFix run.

The initial clue that my computer was infected was that, google links were not opening properly in new windows in addition to strange music playing in the background. I did find a process running called a.exe, when i stopped that process the music stopped. I then I did a windows search for a.exe and found nothing, so I tried a search with hidden files and found it in the system folder somewhere, I trashed a.exe so the music has stopped but the google linking problem persists. Upon reflection this may not have been the best course of action (i'll let you be the judge) but it seemed like a good idea at the time since the anti-virus and spyware programs I had at the time weren't doing the trick. I was using AVG Free and Spybot. Both have been removed to the best of my ability (uninstalled), i don't see their processes anymore in the task manager.

I have installed Avira AntiVir Personal and was able to update that and do a scan. Several rootkits were found, however, the google linking problem persists and I am still unable to run MWB, Hijack This or ComboFix. Windows Defender also won't update and crashes on launch. So from what I have read on other peoples posts, it seems like I am still infected, and I could really use some expert advice!

I have run DDS and Gmer and have logs from both of those which I will paste and/or attach below. I have also run RootRepeal to see if there were any CLB Rootkits (which there weren't). Many thanks in advance!!

-Matt

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86
Run by Matt at 8:48:26.50 on Tue 08/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1367 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [WD_SRT] "c:\program files\western digital technologies\wd win98 se usb disk driver, v1.00.09\WD_SRT.EXE"
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\perstray.lnk - c:\program files\persono\perstray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\1vyq02on.default\
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2005-2-10 72192]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-10 55656]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2008-8-10 21276]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]

=============== Created Last 30 ================

2009-08-11 08:46 <DIR> --d----- c:\program files\Trend Micro
2009-08-11 08:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 08:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 08:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 10:43 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 10:43 <DIR> --d----- c:\program files\Avira
2009-08-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-10 10:15 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes
2009-08-10 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 10:06 <DIR> --d----- c:\docume~1\matt\applic~1\Search Settings
2009-08-10 09:58 <DIR> --d----- c:\program files\Search Settings
2009-08-10 09:58 <DIR> --d----- c:\program files\Free Audio Pack
2009-08-09 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-07 10:39 <DIR> --d----- c:\documents and settings\matt\PrivacIE
2009-08-04 13:00 599,552 -c------ c:\windows\system32\dllcache\crypt32.dll
2009-08-04 13:00 177,664 -c------ c:\windows\system32\dllcache\wintrust.dll
2009-08-04 12:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-04 12:52 14,048 -------- c:\windows\system32\spmsg2.dll
2009-08-02 20:44 <DIR> --d----- c:\windows\system32\AGEIA
2009-08-02 20:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-02 20:30 <DIR> --d----- c:\program files\Codemasters
2009-08-02 18:40 <DIR> --d----- c:\docume~1\matt\applic~1\ArtificialStudios
2009-08-01 10:21 <DIR> --d----- c:\program files\iPod
2009-08-01 10:21 <DIR> --d----- c:\program files\iTunes
2009-08-01 10:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 19:57 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-12 20:13 <DIR> --d----- c:\program files\VideoLAN
2009-07-12 18:04 <DIR> --d----- c:\program files\VideoReDoTVSuite
2009-07-12 18:04 <DIR> --d----- c:\docume~1\matt\applic~1\VideoReDo-TVSuite
2009-07-12 16:11 <DIR> --d----- c:\program files\common files\TivoDecode

==================== Find3M ====================

2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-08-29 15:01 422,344 a------- c:\program files\setuplog.txt

============= FINISH: 8:48:48.59 ===============

SIR CHEECH

Aug 14 2009, 05:35 PM

I have waited more than 48hrs without a reply to my issue. It seems like the helpers here are very busy, I would still very much appreciate any help you can give.

many thanks!!

SpySentinel

Aug 18 2009, 01:27 AM

Hi SIR CHEECH,

Sorry for the delay, we have been very busy this last month in the Malware Forum.

You have a new variant of a nasty infection. This new variant blocks security programs from running.

Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

SIR CHEECH

Aug 18 2009, 06:45 AM

SpySentinel, Hello!

Thanks so much for the reply, it is much appreciated. I followed your instructions to the letter. Unfortunately, combofix doesn't seem to be running. The green progress bar shows, completes and then the programs seems to shut down, no windows appear of any kind.

Are there any alternative measures we could take? I'd rather not reinstall if at all possible.

Thanks again for your assistance!

SpySentinel

Aug 19 2009, 02:24 AM

@SIR CHEECH

No worries, we will try to fix the issue without a reformat

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

@everyone else

Everyone else, please do not post to someones HJT thread. Please read Groups authorized to help with HJT logs

SIR CHEECH

Aug 19 2009, 03:32 AM

Thanks for the continues support SpySentinel, please see Win32kDiag.exe log below.
Hope this helps!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 18:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-04 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 18:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

Finished!

SpySentinel

Aug 19 2009, 03:35 AM

you're welcome.

We Need to remove Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive.
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

SIR CHEECH

Aug 19 2009, 04:13 AM

awesome, ran the scan and report is pasted below ,')

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 21:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF746B000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0x9F976000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_viaraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viaraid.sys
Address: 0x9E276000 Size: 73728 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9B883000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9E569000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xAC8D1000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\recycler\s-1-5-21-1606980848-1965331169-682003330-1004\info2
Status: Size mismatch (API: 2420, Raw: 1620)

Path: C:\RECYCLER\S-1-5-21-1606980848-1965331169-682003330-1004\Dc3.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\scecli.dll
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xf75bcaf8

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa5d84466

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xf75b0b00

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa5d8445c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa5d8446b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa5d84475

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xf75b1388

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bcbf0

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa5d8447a

#: 119 Function Name: NtOpenKey
Status: Hooked by "a347bus.sys" at address 0xf75bca74

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa5d84448

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa5d8444d

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xf75b13a8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bcb46

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa5d84484

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa5d8447f

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xf75bc390

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa5d84470

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa5d84457

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a8219f0 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a3edbd0 Size: 11

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLOSE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_READ]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_WRITE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_EA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_POWER]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_PNP]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a26d3b8 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x8a1f4cd0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a284e18 Size: 11

Object: Hidden Code [Driver: NpfsЅఆ䵃Ψ泰䓰䓰, IRP_MJ_READ]
Process: System Address: 0x8a25d150 Size: 11

Object: Hidden Code [Driver: Msfsȅఈ灐畳ꀈ, IRP_MJ_READ]
Process: System Address: 0x8a26fea8 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a270c18 Size: 11

Object: Hidden Code [Driver: Cdfsȅᰅ㍨訧佘佘〈託, IRP_MJ_READ]
Process: System Address: 0x8a4ac5e8 Size: 11

==EOF==

SpySentinel

Aug 19 2009, 04:17 AM

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

QUOTE

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please download The Avenger2 by SwanDog46.
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
CODE
Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

SIR CHEECH

Aug 19 2009, 04:50 AM

Ok, i followed your instructions; step 1 and step 2 seemed to work fine. I then tried to run combofix per your previous instructions in this post, the green progress bar finished and then no further activity. I also re-installed Malwarebytes and updated it, unfortunately, it wouldn't run its scan for more than a couple seconds before closing.

Posted below is the avenger log, i hope it helps.
i appreciate your assistance

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "c:\scecli.dll" not found!
File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

SpySentinel

Aug 19 2009, 03:43 PM

Step #1

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please download The Avenger2 by SwanDog46.
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
CODE
Files to move:
C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #2

Now try running ComboFix and Malwarebytes, then post the logs here.

SIR CHEECH

Aug 19 2009, 05:00 PM

Great work SpySentinel! The avenger script ran and rebooted the machine twice. After which i got a log (see below).

I attempted to run ComboFix per your previous instructions in this thread. This time the green progress bar ran and I got a message window that stated "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters", it had an OK box and thats as far as i could get with combofix.

I reinstalled Malwarebytes and updated it. IT RAN!!! I did a Quick Scan, results posted below. I still have the dialog window open just in case, so let me know if its ok to Remove the threats

btw YOU ARE AWESOME!!

AVENGER LOG

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Error: Script file not found!
Could not open script file! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Abort!

MBAM LOG

Malwarebytes' Anti-Malware 1.40
Database version: 2657
Windows 5.1.2600 Service Pack 3

8/19/2009 10:51:32 AM
mbam-log.txt

Scan type: Quick Scan
Objects scanned: 99939
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

SpySentinel

Aug 19 2009, 05:07 PM

Thanks SIR CHEECH, glad to hear it worked. This is a new nasty infection.

Please run Malwarebytes again, this time when it shows the items it found, please choose to remove them.

Then run ComboFix again and post both logs.

SIR CHEECH

Aug 19 2009, 05:47 PM

I ran MBAM again and removed the threats (log posted below).

Combofix is still giving me the same error "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters"

MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2657
Windows 5.1.2600 Service Pack 3

8/19/2009 11:10:43 AM
mbam-log-2009-08-19 (11-10-43).txt

Scan type: Quick Scan
Objects scanned: 99939
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

SpySentinel

Aug 19 2009, 05:49 PM

Go ahead an rename ComboFix to 101969MB and then try running it again.

SIR CHEECH

Aug 19 2009, 06:16 PM

101969MB got the same results, even though i downloaded the file and saved it with that name. On a lark, I deleted that and tried running the program with its standard name ComboFix.exe for some reason it worked. Log posted below.

ComboFix Log

ComboFix 09-08-18.04 - Matt 08/19/2009 12:01.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1524 [GMT -6:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Installer\180c480.msi
c:\windows\system32\skinboxer43.dll
H:\Autorun.inf

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uacFlt
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_uacFlt

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix
2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro
2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings
2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender
2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files
2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild
2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA
2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games
2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-08-19 05:10 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam
2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite
2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire
2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer
2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour
2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime
2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update
2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN
2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite
2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode
2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp
2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25708:TCP"= 25708:TCP:bitlord
"6112:TCP"= 6112:TCP:Wc3 1
"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,
67,66,00,00
"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,
00,92
"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,
6a,64,6f,6e,00,00
"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,
63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,
e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,
61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\
"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 18:10

Pre-Run: 31,765,762,048 bytes free
Post-Run: 33,552,453,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2009-08-19 16:20

SpySentinel

Aug 19 2009, 08:42 PM

Glad to see it worked.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE

RegNull:
[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

SIR CHEECH

Aug 19 2009, 09:11 PM

This really is a nasty bugger, thanks for sticking with me. Log posted below.

ComboFix 09-08-18.04 - Matt 08/19/2009 14:56.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1606 [GMT -6:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix
2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro
2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings
2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender
2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files
2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild
2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA
2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games
2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 20:34 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam
2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite
2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire
2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer
2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour
2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime
2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update
2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN
2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite
2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode
2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp
2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25708:TCP"= 25708:TCP:bitlord
"6112:TCP"= 6112:TCP:Wc3 1
"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,
67,66,00,00
"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,
00,92
"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,
6a,64,6f,6e,00,00
"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,
63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,
e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,
61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\
"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 21:05
ComboFix2.txt 2009-08-19 18:10

Pre-Run: 33,569,591,296 bytes free
Post-Run: 33,510,805,504 bytes free

286 --- E O F --- 2009-08-19 16:20

SpySentinel

Aug 19 2009, 09:12 PM

Yes it is very nasty, and new, so we are just getting the hang of how to remove it.

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.

SIR CHEECH

Aug 20 2009, 12:08 AM

I ran the Eset online scan. Avira had many (10-12) TR/Rootkit.gen hits while the scan was running. I selected all instances to be quarantined. See ESET log below.

C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP448\A0084903.dll a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantined

SpySentinel

Aug 20 2009, 02:39 PM

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

SIR CHEECH

Aug 20 2009, 03:15 PM

SpySentinel, thank you for your continued support
You will find the RSIT logs posted below

RSIT LOG

Logfile of random's system information tool 1.06 (written by random/random)
Run by Matt at 2009-08-20 09:08:31
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 32 GB (21%) free of 153 GB
Total RAM: 2047 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:38 AM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\RSIT.exe
C:\Program Files\trend micro\Matt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [TranscodingService] "C:\Program Files\TiVo\Desktop\TranscodingService.exe" /auto
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54817278-1DFB-452A-A80D-FFC599070349}: NameServer = 192.168.0.1,192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{54817278-1DFB-452A-A80D-FFC599070349}: NameServer = 192.168.0.1,192.168.0.2
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9618821f3d326) (gupdate1c9618821f3d326) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6242 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"CTHelper"=C:\WINDOWS\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-11 18944]
"WD_SRT"=C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE [2005-11-18 278528]
"WD Button Manager"=C:\WINDOWS\system32\WDBtnMgr.exe [2009-02-19 364544]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"=C:\Program Files\TiVo\Desktop\TranscodingService.exe [2009-01-27 520192]
"TivoNotify"=C:\Program Files\TiVo\Desktop\TiVoNotify.exe [2009-01-27 425472]
"TivoServer"=C:\Program Files\TiVo\Desktop\TiVoServer.exe [2009-01-27 2143232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Perstray.lnk - C:\Program Files\PerSono\perstray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-07-03 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitLord\BitLord.exe"="C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord"
"C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe"="C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe:LocalSubNet:Enabled:Adobe After Effects CS3"
"C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe"="C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe:LocalSubNet:Enabled:Adobe Bridge CS3"
"C:\Program Files\Adobe\Adobe Device Central CS3\DeviceCentral.exe"="C:\Program Files\Adobe\Adobe Device Central CS3\DeviceCentral.exe:LocalSubNet:Enabled:Adobe Device Central CS3"
"C:\Program Files\Adobe\Adobe Encore CS3\Adobe Encore.exe"="C:\Program Files\Adobe\Adobe Encore CS3\Adobe Encore.exe:LocalSubNet:Enabled:Adobe Encore CS3"
"C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit 2\ExtendScript Toolkit 2.exe"="C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit 2\ExtendScript Toolkit 2.exe:LocalSubNet:Enabled:Adobe ExtendScript Toolkit 2"
"C:\Program Files\Adobe\Adobe Extension Manager\Extension Manager.exe"="C:\Program Files\Adobe\Adobe Extension Manager\Extension Manager.exe:LocalSubNet:Enabled:Adobe Extension Manager CS3"
"C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe"="C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe:LocalSubNet:Enabled:Adobe Flash CS3 Professional"
"C:\Program Files\Adobe\Adobe Flash CS3 Video Encoder\Flash Video Encoder.exe"="C:\Program Files\Adobe\Adobe Flash CS3 Video Encoder\Flash Video Encoder.exe:LocalSubNet:Enabled:Adobe Flash CS3 Video Encoder"
"C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe"="C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe:LocalSubNet:Enabled:Adobe Illustrator CS3"
"C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe"="C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe:LocalSubNet:Enabled:Adobe Photoshop CS3"
"C:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe"="C:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe:LocalSubNet:Enabled:Adobe Premiere Pro CS3"
"C:\Program Files\Adobe\Adobe Soundbooth CS3\Adobe Soundbooth CS3.exe"="C:\Program Files\Adobe\Adobe Soundbooth CS3\Adobe Soundbooth CS3.exe:LocalSubNet:Enabled:Adobe Soundbooth CS3"
"C:\Program Files\Adobe\Adobe Stock Photos CS3\Adobe Stock Photos CS3.exe"="C:\Program Files\Adobe\Adobe Stock Photos CS3\Adobe Stock Photos CS3.exe:LocalSubNet:Enabled:Adobe Stock Photos CS3"
"C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe"="C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe:*:Enabled:Acrobat.com"
"C:\Program Files\Adobe\Adobe OnLocation CS3\Adobe OnLocation.exe"="C:\Program Files\Adobe\Adobe OnLocation CS3\Adobe OnLocation.exe:LocalSubNet:Enabled:Adobe OnLocation CS3"
"C:\Program Files\Adobe\Adobe InDesign CS3\InDesign.exe"="C:\Program Files\Adobe\Adobe InDesign CS3\InDesign.exe:LocalSubNet:Enabled:Adobe InDesign CS3"
"C:\Program Files\Google\Google SketchUp 6\SketchUp.exe"="C:\Program Files\Google\Google SketchUp 6\SketchUp.exe:LocalSubNet:Enabled:Google SketchUp"
"C:\Program Files\Google\Google SketchUp 6\LayOut\LayOut.exe"="C:\Program Files\Google\Google SketchUp 6\LayOut\LayOut.exe:LocalSubNet:Enabled:LayOut"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Warcraft III\Warcraft III.exe"="C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\Program Files\Steam\steam.exe"="C:\Program Files\Steam\steam.exe:*:Disabled:Steam"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\WinSCP\WinSCP.exe"="C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:SFTP, FTP and SCP client"
"C:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exe"="C:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exe:*:Enabled:Fallout3"
"C:\Program Files\Steam\steamapps\gumachi\team fortress 2\hl2.exe"="C:\Program Files\Steam\steamapps\gumachi\team fortress 2\hl2.exe:*:Disabled:hl2"
"C:\Program Files\Steam\steamapps\gumachi\synergy dedicated server\srcds.exe"="C:\Program Files\Steam\steamapps\gumachi\synergy dedicated server\srcds.exe:*:Enabled:srcds"
"C:\Program Files\Steam\steamapps\gumachi\synergy\hl2.exe"="C:\Program Files\Steam\steamapps\gumachi\synergy\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Steam\steamapps\common\fear2\FEAR2.exe"="C:\Program Files\Steam\steamapps\common\fear2\FEAR2.exe:*:Enabled:F.E.A.R. 2: Project Origin"
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service"
"C:\Program Files\TiVo\Desktop\TiVoServer.exe"="C:\Program Files\TiVo\Desktop\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service"
"C:\Program Files\TiVo\Desktop\TiVoDesktop.exe"="C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface"
"C:\Program Files\TiVo\Desktop\curl.exe"="C:\Program Files\TiVo\Desktop\curl.exe:LocalSubNet:Enabled:TiVo Curl Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Codemasters\Turning Point - Fall of Liberty\Binaries\LTCG-TPGame.exe"="C:\Program Files\Codemasters\Turning Point - Fall of Liberty\Binaries\LTCG-TPGame.exe:*:Enabled:Turning Point - Fall of Liberty"
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe"="C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead"
"C:\Program Files\CINEMA 4D R10\CINEMA 4D.exe"="C:\Program Files\CINEMA 4D R10\CINEMA 4D.exe:LocalSubNet:Disabled:Shortcut to CINEMA 4D"
"C:\Program Files\CINEMA 4D R10\NET Render Client.exe"="C:\Program Files\CINEMA 4D R10\NET Render Client.exe:LocalSubNet:Disabled:Shortcut to NET Render Client"
"C:\Program Files\CINEMA 4D R10\NET Render Server.exe"="C:\Program Files\CINEMA 4D R10\NET Render Server.exe:LocalSubNet:Disabled:Shortcut to NET Render Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a77df396-4096-11dc-a846-000f3dae33e2}]
shell\AutoRun\command - G:\LaunchU3.exe -a

======List of files/folders created in the last 1 months======

2009-08-20 09:08:31 ----D---- C:\rsit
2009-08-19 15:23:54 ----D---- C:\Program Files\ESET
2009-08-19 15:06:03 ----D---- C:\WINDOWS\temp
2009-08-19 15:06:02 ----A---- C:\ComboFix.txt
2009-08-19 12:00:53 ----A---- C:\Boot.bak
2009-08-19 12:00:49 ----RASHD---- C:\cmdcons
2009-08-19 11:59:39 ----A---- C:\WINDOWS\zip.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWSC.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\SWREG.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\sed.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\PEV.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-19 11:59:39 ----A---- C:\WINDOWS\grep.exe
2009-08-19 10:41:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-19 10:36:10 ----SD---- C:\Combo-Fix
2009-08-19 10:36:10 ----D---- C:\WINDOWS\ERDNT
2009-08-19 10:36:07 ----D---- C:\Qoobox
2009-08-18 22:04:39 ----A---- C:\RootRepeal report 08-18-09 (22-04-39).txt
2009-08-17 17:03:09 ----D---- C:\Program Files\Windows Live Safety Center
2009-08-12 23:24:44 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 23:24:39 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 23:24:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 23:24:28 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 23:24:22 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 23:24:17 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 23:24:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 23:24:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 23:23:25 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 08:46:00 ----D---- C:\Program Files\Trend Micro
2009-08-10 10:43:12 ----D---- C:\Program Files\Avira
2009-08-10 10:43:12 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-08-10 10:15:38 ----D---- C:\Documents and Settings\Matt\Application Data\Malwarebytes
2009-08-10 10:15:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-10 10:06:44 ----D---- C:\Documents and Settings\Matt\Application Data\Search Settings
2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\WMAFile.dll
2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudPlayer.dll
2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioVisu.dll
2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioRecord.dll
2009-08-10 09:58:18 ----A---- C:\WINDOWS\system32\AudioInfos.dll
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\VB6FR.DLL
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\TABCTFR.DLL
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\inetfr.DLL
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudFile.dll
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudDisplay.dll
2009-08-10 09:58:17 ----A---- C:\WINDOWS\system32\AudDesign.dll
2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL
2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\Mscc2fr.dll
2009-08-10 09:58:16 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL
2009-08-10 09:58:15 ----D---- C:\Program Files\Free Audio Pack
2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\msvcr70.dll
2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\MFC71.dll
2009-08-10 09:58:15 ----A---- C:\WINDOWS\system32\lame_enc.dll
2009-08-09 22:31:45 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2009-08-07 12:17:09 ----D---- C:\Program Files\Windows Defender
2009-08-04 13:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB938759$
2009-08-04 12:57:04 ----D---- C:\Program Files\MSBuild
2009-08-04 12:53:24 ----D---- C:\WINDOWS\system32\XPSViewer
2009-08-04 12:52:45 ----D---- C:\Program Files\Reference Assemblies
2009-08-04 12:52:11 ----N---- C:\WINDOWS\system32\spmsg2.dll
2009-08-02 20:44:54 ----D---- C:\WINDOWS\system32\AGEIA
2009-08-02 20:44:53 ----D---- C:\Program Files\AGEIA Technologies
2009-08-02 20:44:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-02 20:30:25 ----D---- C:\Program Files\Codemasters
2009-08-02 18:40:21 ----D---- C:\Documents and Settings\Matt\Application Data\ArtificialStudios
2009-08-01 10:21:37 ----D---- C:\Program Files\iPod
2009-08-01 10:21:33 ----D---- C:\Program Files\iTunes
2009-08-01 10:21:33 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 19:57:06 ----A---- C:\WINDOWS\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2009-08-20 09:08:32 ----D---- C:\WINDOWS\Prefetch
2009-08-20 09:07:04 ----D---- C:\Program Files\Mozilla Firefox
2009-08-20 09:06:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-20 09:06:24 ----D---- C:\WINDOWS
2009-08-20 09:05:49 ----D---- C:\WINDOWS\system32
2009-08-20 09:04:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-20 09:04:38 ----A---- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-10071102}.BAK
2009-08-20 09:04:23 ----HD---- C:\WINDOWS\inf
2009-08-20 09:04:16 ----D---- C:\WINDOWS\system32\en-us
2009-08-19 19:41:47 ----D---- C:\Program Files\Steam
2009-08-19 15:23:54 ----RD---- C:\Program Files
2009-08-19 15:06:04 ----D---- C:\WINDOWS\system32\drivers
2009-08-19 15:01:24 ----A---- C:\WINDOWS\system.ini
2009-08-19 14:58:09 ----D---- C:\WINDOWS\AppPatch
2009-08-19 14:58:08 ----D---- C:\Program Files\Common Files
2009-08-19 12:10:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-19 12:04:18 ----D---- C:\WINDOWS\system32\config
2009-08-19 12:03:44 ----SHD---- C:\WINDOWS\Installer
2009-08-19 12:00:53 ----RASH---- C:\boot.ini
2009-08-19 11:44:54 ----D---- C:\Documents and Settings\Matt\Application Data\U3
2009-08-19 11:10:43 ----SD---- C:\WINDOWS\Tasks
2009-08-17 17:03:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-16 10:41:12 ----D---- C:\Documents and Settings\Matt\Application Data\VideoReDo-TVSuite
2009-08-16 10:38:09 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-12 23:24:41 ----A---- C:\WINDOWS\imsins.BAK
2009-08-12 23:24:27 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-12 23:24:14 ----D---- C:\Program Files\Outlook Express
2009-08-11 00:33:17 ----D---- C:\WINDOWS\WinSxS
2009-08-11 00:13:08 ----SD---- C:\Documents and Settings\Matt\Application Data\Microsoft
2009-08-11 00:12:00 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-09 22:31:59 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-08 16:38:05 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-08 16:38:02 ----RSD---- C:\WINDOWS\assembly
2009-08-08 15:53:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-08 15:43:59 ----RSD---- C:\WINDOWS\Fonts
2009-08-08 15:38:49 ----D---- C:\Program Files\Internet Explorer
2009-08-07 12:10:02 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-08-07 11:50:16 ----D---- C:\WINDOWS\pchealth
2009-08-05 03:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-08-04 19:42:31 ----D---- C:\Documents and Settings\Matt\Application Data\Xfire
2009-08-04 12:52:28 ----D---- C:\WINDOWS\system32\spool
2009-08-02 20:45:09 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-02 20:44:24 ----D---- C:\WINDOWS\system32\DirectX
2009-08-01 11:52:34 ----D---- C:\Documents and Settings\Matt\Application Data\Apple Computer
2009-08-01 10:20:35 ----D---- C:\Program Files\Bonjour
2009-07-30 11:31:02 ----D---- C:\Program Files\Xfire
2009-07-29 18:49:14 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-23 08:18:02 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-09-27 279712]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-09-27 25888]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 344800]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-07-04 3230720]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-08-11 502272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2006-08-11 499584]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-08-11 7168]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-08-11 143872]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-08-11 78336]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2006-08-11 766976]
R3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2006-08-11 154112]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-08-11 116224]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS []
S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS []
S3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS []
S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS []
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-11-10 340704]
S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS []
S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS []
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS []
S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS []
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2006-08-11 180224]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys []
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys []
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 WD_FireWire_HID;WD FireWire Pseudo-HID driver; C:\WINDOWS\system32\DRIVERS\wdfwhid.sys [2006-03-22 17408]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-07-03 561152]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-07-03 593920]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-10 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-08-01 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

RSIT INFO

info.txt logfile of random's system information tool 1.06 2009-08-20 09:08:41

======Uninstall list======

-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
-->MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79B4539B-F3F8-4239-885E-025F12DBC86B}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79B4539B-F3F8-4239-885E-025F12DBC86B}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8325E66-E1C8-43C1-AA6A-F99C024A8C96}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8325E66-E1C8-43C1-AA6A-F99C024A8C96}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Add or Remove Adobe Creative Suite 3 Production Premium-->C:\Program Files\Common Files\Adobe\Installers\aefc483f26b23ab60cc5653016d5017\Setup.exe
Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe After Effects CS3 Template Projects & Footage-->MsiExec.exe /I{73E81E9B-7319-43AD-B7CC-1C61405E5089}
Adobe After Effects CS3 Third Party Content-->MsiExec.exe /I{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}
Adobe After Effects CS3-->MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Production Premium-->MsiExec.exe /I{40F2BCF4-4EED-4AD4-BFB6-A58946C561A1}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Encore CS3 Codecs-->MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe Encore CS3 Library-->MsiExec.exe /I{F1D93F5B-881F-49E3-BA56-B4B8FA991059}
Adobe Encore CS3-->MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3-->MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Glyphlet Creation Tool CS3-->MsiExec.exe /I{243DA072-8E39-424A-86A3-F63152021383}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->C:\Program Files\Common Files\Adobe\Installers\05ba3a63f36684fe0c5dde2ebe6f8f5\Setup.exe
Adobe InDesign CS3-->MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe OnLocation CS3-->C:\Program Files\InstallShield Installation Information\{FFB278E6-2945-4FF0-8F3F-268CDD09FCF6}\Setup.exe -runfromtemp -l0x0409
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 Functional Content-->MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content-->MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Premiere Pro CS3-->MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Reader 9.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Setup-->MsiExec.exe /I{56B8B892-317E-4FDE-9E4D-44B189848A27}
Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup-->MsiExec.exe /I{BA67E3E1-25EE-4481-857D-D3CA99DA71C8}
Adobe SING CS3-->MsiExec.exe /I{3F9B2FD2-1C83-4401-9967-C3636638E958}
Adobe Soundbooth CS3 Codecs-->MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Soundbooth CS3 Scores-->MsiExec.exe /I{92A300C0-E97B-48CC-9702-AB1AAED167E1}
Adobe Soundbooth CS3-->MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AGEIA PhysX v7.09.13-->MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
BitLord 1.1-->C:\Program Files\BitLord\uninst.exe
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Combined Community Codec Pack 2008-01-24-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
Creative Audio Console-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
EA Download Manager-->C:\Program Files\Electronic Arts\EADM\Uninstall.exe
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
F.E.A.R. 2: Project Origin-->"C:\Program Files\Steam\steam.exe" steam://uninstall/16450
Fable - The Lost Chapters-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}
Fallout 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{974C4B12-4D02-4879-85E0-61C95CC63E9E}\setup.exe" -l0x9 -removeonly
Free Mp3 Wma Converter V 1.8.0-->"C:\Program Files\Free Audio Pack\unins000.exe"
Google Chrome-->"C:\Program Files\Google\Chrome\Application\2.0.172.39\Installer\setup.exe" --uninstall --system-level
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google SketchUp 6 Exporters-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB459C2F-41CA-4222-B9CA-F8EBA40B8DAB}\setup.exe" -l0x9 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp LayOut 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C12D609B-EB71-411B-82C3-9BE6D40435D7}\setup.exe" -l0x9 -removeonly
Google SketchUp Pro 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12E75B98-8463-4C1F-8DDA-F6CF31566A55}\setup.exe" -l0x9 -removeonly
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Haali Media Splitter-->"C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
Half-Life 2: Episode One-->"C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two-->"C:\Program Files\Steam\steam.exe" steam://uninstall/420
Half-Life 2: Lost Coast-->"C:\Program Files\Steam\steam.exe" steam://uninstall/340
Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB938759)-->"C:\WINDOWS\$NtUninstallKB938759$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JGsoft EditPad Lite 5.3.0-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadLite\Deploy.log"
Left 4 Dead-->"C:\Program Files\Steam\steam.exe" steam://uninstall/500
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maxwell-->C:\Program Files\Next Limit\Maxwell\uninstall.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
MINERVA: Metastasis-->C:\PROGRA~1\Steam\STEAMA~1\SOURCE~1\METAST~1\UNWISE.EXE C:\PROGRA~1\Steam\STEAMA~1\SOURCE~1\METAST~1\metastasis.log
MobileMe Control Panel-->MsiExec.exe /I{DDBB28C8-B2AA-45A1-8DCE-059A798509FB}
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PDF Settings-->MsiExec.exe /I{DC017035-1939-425F-8F86-63B462C76C6A}
PerSono-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D63F2860-678D-11D4-B355-0010A4F75374}\setup.exe"
QuickTime MPEG2-->MsiExec.exe /I{12EAE4F0-8770-451C-B4AD-76B569678973}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Search Settings 1.2.1-->MsiExec.exe /X{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synergy-->"C:\Program Files\Steam\steam.exe" steam://uninstall/17520
Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440
The Core Media Player 4.0-->"C:\Program Files\CoreCodec\The Core Media Player\uninstall-tcmp4.exe"
TiVo Desktop 2.7-->MsiExec.exe /I{4E839090-3B68-436A-B3CF-A2A08C38DD26}
TiVo Desktop 2.7-->MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}
Turning Point - Fall of Liberty-->"C:\Program Files\InstallShield Installation Information\{D4FEA244-A9BC-4727-8EA9-B369579F43CF}\setup.exe" -runfromtemp -l0x0409 -removeonly
Turning Point - Fall of Liberty-->MsiExec.exe /X{D4FEA244-A9BC-4727-8EA9-B369579F43CF}
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VideoReDo TVSuite Version 3.1.4.549-->"C:\Program Files\VideoReDoTVSuite\unins000.exe"
WD Firewire HID Driver-->MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}
WD Win98 SE USB Disk Driver, v1.00.09-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F512339-216D-4FBE-8A83-3EDCC3F03F51}\setup.exe" -l0x9 -removeonly
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.1.7-->"C:\Program Files\WinSCP\unins000.exe"
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"

======Security center information======

AV: AntiVir Desktop

======System event log======

Computer Name: D1
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 91
Source Name: Service Control Manager
Time Written: 20090819120121.000000-360
Event Type: error
User:

Computer Name: D1
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 90
Source Name: Service Control Manager
Time Written: 20090819120120.000000-360
Event Type: error
User:

Computer Name: D1
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 89
Source Name: Service Control Manager
Time Written: 20090819120118.000000-360
Event Type: error
User:

Computer Name: D1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
PCIIde

Record Number: 57
Source Name: Service Control Manager
Time Written: 20090819111247.000000-360
Event Type: error
User:

Computer Name: D1
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
PCIIde

Record Number: 29
Source Name: Service Control Manager
Time Written: 20090819103403.000000-360
Event Type: error
User:

=====Application event log=====

Computer Name: D1
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2953
Source Name: Userenv
Time Written: 20090330140507.000000-360
Event Type: warning
User: D1\Matt

Computer Name: D1
Event Code: 1517
Message: Windows saved user D1\Matt registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2944
Source Name: Userenv
Time Written: 20090330121833.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: D1
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2943
Source Name: Userenv
Time Written: 20090330121826.000000-360
Event Type: warning
User: D1\Matt

Computer Name: D1
Event Code: 1517
Message: Windows saved user D1\Matt registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2934
Source Name: Userenv
Time Written: 20090329223059.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: D1
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 2933
Source Name: Userenv
Time Written: 20090329223053.000000-360
Event Type: warning
User: D1\Matt

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"MAXWELL_ROOT"=C:\Program Files\Next Limit\Maxwell
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

SpySentinel

Aug 20 2009, 03:33 PM

Hi Matt, You're welcome.

How is your computer running?

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java™ 6 Update 7

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

screen317

Aug 20 2009, 10:27 PM

SIR CHEECH,

SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.

-screen317

SIR CHEECH

Aug 20 2009, 11:11 PM

My computer is running much better thanks completely to your expert advice and assistance. I have dropped 4 unnecessary processes from the task manager, google links are performing properly, malwarebytes runs. I'm completely stoked!

I did a final run of malwarebytes and avira a few loose ends turned up. I'm happy to say though that avira ran for the first time without having 20 or so instances of TR/Rootkit.gen infections turning up. Also its showing that a complete system scan has occurred, where before, no matter how many times i scanned my system, it never showed up as having a complete system scan done. If you are so inclined, please take a glance at the logs below and let me know if you deem any further action need be taken.

and by the way

THANK YOU VERY MUCH

MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2657
Windows 5.1.2600 Service Pack 3

8/20/2009 12:37:08 PM
mbam-log-2009-08-20 (12-37-08).txt

Scan type: Full Scan (C:\|G:\|H:\|)
Objects scanned: 343414
Time elapsed: 2 hour(s), 22 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP446\A0083757.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP448\A0084905.exe (Trojan.Banker) -> Quarantined and deleted successfully.

AVIRA Log

Avira AntiVir Personal
Report file date: Thursday, August 20, 2009 12:48

Scanning for 1649952 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : D1

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 8/14/2009 16:44:00
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 16:21:42
ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 8/10/2009 21:01:53
ANTIVIR3.VDF : 7.1.5.142 435712 Bytes 8/20/2009 16:44:07
Engineversion : 8.2.1.3
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 20:31:50
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/12/2009 16:44:55
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 16:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 16:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 20:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 16:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 8/18/2009 16:48:05
AEHELP.DLL : 8.1.6.0 233846 Bytes 8/18/2009 16:47:13
AEGEN.DLL : 8.1.1.57 356725 Bytes 8/18/2009 16:47:07
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 16:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 22:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 22:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 17:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, G:, H:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+JOKE,+PCK,+SPR,

Start of the scan: Thursday, August 20, 2009 12:48

Starting search for hidden objects.
'60109' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'TiVoTransfer.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'PersTray.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TiVoServer.exe' - '1' Module(s) have been scanned
Scan process 'TiVoNotify.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'TranscodingService.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned
Scan process 'WD_SRT.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '54' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Internet Explorer\iexplore.exe
[WARNING] The file could not be opened!
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\MRT.exe
[WARNING] The file could not be opened!
Begin scan in 'G:\' <JESUS>
G:\¬projects\[0018]¬ moebius portfolio\Design Present\wEb\moebius_web.ai
[DETECTION] Contains recognition pattern of the HTML/Malicious.PDF.Gen HTML script virus
Begin scan in 'H:\' <CHRIST>

Beginning disinfection:
G:\¬projects\[0018]¬ moebius portfolio\Design Present\wEb\moebius_web.ai
[DETECTION] Contains recognition pattern of the HTML/Malicious.PDF.Gen HTML script virus
[NOTE] The file was moved to '4af2d406.qua'!

End of the scan: Thursday, August 20, 2009 16:52
Used time: 1:30:46 Hour(s)

The scan has been done completely.

20782 Scanned directories
411260 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
4 Files cannot be scanned
411255 Files not concerned
2144 Archives were scanned
4 Warnings
2 Notes
60109 Objects were scanned with rootkit scan
0 Hidden objects were found

screen317

Aug 20 2009, 11:16 PM

SIR CHEECH,

Please don't bold the logs; it's harder on the eyes.

QUOTE

Good to hear things are running well.

Make sure a copy of ComboFix is on your Desktop before doing the following:

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Restart your computer and let me know what issues remain.

-screen317

SIR CHEECH

Aug 21 2009, 02:09 PM

Seems like everything is a-o-k. MBAM scanned clean as well as avira. I really appreciate the excellent support. Thanks again!

-SIR CHEECH

screen317

Aug 21 2009, 08:36 PM

Good to hear!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

SIR CHEECH

Aug 22 2009, 03:50 PM

Thanks so much for getting me on the right path to surfing. I had no idea how ignorant I had become over the past few years. My girl just got a new laptop, so this advice couldn't have come at a better time. I'm now prepared to make sure she doesn't have to go through what I did. Thanks again!!

screen317

Aug 22 2009, 10:51 PM

Great to hear and glad we could help.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.