LuckyCat

Java 6 Update 21 Installation Failed

67 posts in this topic

Hello, as per Gammo's suggestion I'm starting a topic here. I was previously infected by malware but now my PC is clean. However whenever I try installing the latest Java update the installation fails. Please take a look at the ending portion of this thread:

http://forums.malwarebytes.org/index.php?s...60661&st=20

Gammo did the best he could to help me install it but it's still not working. I've already tried some steps. What should I do next?

Thanks :)

Share this post


Link to post
Share on other sites

Do you have the installation software and registration information for your Symantec Anti-Virus? If so then please fully uninstall it temporarily. Make sure you download this software first, then run these scanners. Then temporarily install Avira AV so that you have an Anti-Virus running. If you have any questions please ask first.

STEP 01

Read entire post and download all required software first.

STEP 01A

Temporarily uninstall Symantec Anti-Virus and restart the computer.

See STEP 7 for getting the software first and other steps for required software.

Then disconnect your network connection and don't reconnect until the end and you have Avira installed.

STEP 02

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

STEP 03

Please download the following program to your desktop. Close all other open applications and then run the program.

It will restore file permissions to the system and automatically restart the computer when done.

restoredefaultperms.exe

STEP 04

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

STEP 05

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 06

  1. Download the Event Viewer Tool by Vino Rosso VEW and save it to your Desktop:
  2. Double-click VEW.exe
  3. Under 'Select log to query', select:
    • Application
    • System

[*]Under 'Select type to list', select:

  • Error

[*] Click the radio button for 'Number of events'

[*]Type 10 in the 1 to 20 box

[*]Then click the Run button.

[*]Notepad will open with the output log.

Please post the Output log in your next reply

STEP 07

Download and install Avira FREE

STEP 08

Now reconnect back to the Internet and post back all of your logs.

Share this post


Link to post
Share on other sites

I've followed all steps exactly as you've instructed. Here are my logs :P

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 21:49:45.34 on Fri 08/27/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.301 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\WINDOWS\system32\npkcmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

uInternet Settings,ProxyOverride = local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [soundMan] SOUNDMAN.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe.XXX

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\afaria~1.lnk - c:\program files\aclient\bin\XCGSTask.exe.XXX

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - hxxp://www.albatross18.com/cabs/A18X.ocx

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {116D8D4C-E19A-46D0-95DC-4EA2663703BE} - hxxp://login.hanbiton.com/cab/Hanbiton_Mb424.cab

DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab

DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxps://ansim.suhyup.co.kr/scsk4.cab

DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://update.nprotect.net/npscan2006/kor/nps.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://acs.yescard.co.kr/XecureObject/xw_install.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {987ECFCE-E607-4D52-B2C5-2EA1F6F303C4} - hxxp://www.pangya.com/PangyaLauncher/PangyaLauncher.cab

DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab

DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab

DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8234.cab

DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://vbv.lgcard.com/popup/npkcx_lg.cab

DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab

DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053}

DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab

DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} - hxxp://dist.cdnetworks.co.kr/cdndist/streamport/SPort.cab

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ddqu81zm.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 15701312;15701312 Boot Guard Driver;c:\windows\system32\drivers\15701312.sys [2010-8-22 37392]

R0 37407542;37407542 Boot Guard Driver;c:\windows\system32\drivers\37407542.sys [2010-8-22 37392]

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2004-6-1 6016]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-26 64288]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-8-16 218592]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-5-12 97408]

R1 37407541;37407541;c:\windows\system32\drivers\37407541.sys [2010-8-22 128016]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-8-16 112592]

R3 Neo_PangYa;VPN Client Device Driver - PangYa;c:\windows\system32\drivers\Neo_0067.sys [2008-12-3 22000]

S1 15701311;15701311;c:\windows\system32\drivers\15701311.sys --> c:\windows\system32\drivers\15701311.sys [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]

S2 vpnclient;PacketiX VPN Client;"c:\program files\packetix vpn client english\vpnclient.exe" /service --> c:\program files\packetix vpn client english\vpnclient.exe [?]

S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [2007-8-11 31104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-8-16 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-8-16 1142224]

S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]

=============== Created Last 30 ================

2010-08-27 20:36:37 0 d-----w- C:\_OTM

2010-08-26 19:02:33 0 d-----w- c:\program files\ESET

2010-08-24 23:51:27 0 d-----w- c:\windows\pss

2010-08-22 21:11:53 37392 ----a-w- c:\windows\system32\drivers\37407542.sys

2010-08-22 21:11:53 315408 ----a-w- c:\windows\system32\drivers\3740754.sys

2010-08-22 21:11:53 128016 ----a-w- c:\windows\system32\drivers\37407541.sys

2010-08-22 21:06:44 37392 ----a-w- c:\windows\system32\drivers\15701312.sys

2010-08-22 21:06:43 315408 ----a-w- c:\windows\system32\drivers\1570131.sys

2010-08-20 00:21:00 0 d--h--w- c:\windows\PIF

2010-08-17 04:57:26 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:09:01 0 d-----w- c:\program files\CCleaner

2010-08-17 04:06:48 0 d-----w- C:\ClamWinPortable

2010-08-16 23:05:37 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05:37 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05:37 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05:35 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

2010-08-16 23:03:04 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2010-08-16 17:52:10 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-08-16 17:52:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-16 17:52:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 17:52:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 04:55:32 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50:59 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46:41 882 ----a-w- c:\windows\RegSDImport.xml

2010-08-16 04:46:41 879 ----a-w- c:\windows\RegISSImport.xml

2010-08-16 04:46:41 767952 ----a-w- c:\windows\BDTSupport.dll

2010-08-16 04:46:41 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-08-16 04:46:41 131 ----a-w- c:\windows\IDB.zip

2010-08-16 04:46:41 1152444 ----a-w- c:\windows\UDB.zip

2010-08-16 04:46:40 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-08-16 04:46:40 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-08-16 04:46:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:45:00 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:40:15 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:37:36 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:35:58 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat

2010-08-16 04:35:58 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-08-16 04:35:49 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-08-16 04:35:49 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat

2010-08-16 04:35:49 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat

2010-08-16 04:35:49 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-08-16 04:35:36 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat

2010-08-16 04:35:36 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-08-16 04:35:21 0 d-----w- c:\program files\common files\PC Tools

2010-08-16 04:35:20 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-08-16 04:33:04 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31:03 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29:48 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27:17 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25:17 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23:46 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22:45 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:19:38 40840 ----a-w- c:\windows\system32\drivers\ikfilesec.sys

2010-08-16 04:19:38 29576 ----a-w- c:\windows\system32\drivers\kcom.sys

2010-08-16 04:19:37 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys

2010-08-16 04:19:37 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys

2010-08-16 04:19:19 0 d-----w- c:\docume~1\owner\applic~1\PC Tools

2010-08-16 04:19:18 0 d-----w- c:\program files\Spyware Doctor

2010-08-16 04:17:11 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16:10 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13:29 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09:57 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08:27 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25:04 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20:21 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19:21 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15:08 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12:26 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09:33 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08:02 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02:16 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40:34 0 d-----w- C:\NSS

2010-08-06 16:08:47 520 ----a-w- c:\windows\_delis32.ini

==================== Find3M ====================

2010-08-28 01:40:25 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

============= FINISH: 21:50:07.21 ===============

Vino's Event Viewer v01c run on Windows XP in English

Report run at 27/08/2010 9:54:03 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 25/08/2010 8:34:42 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 8:26:46 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 8:22:01 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 8:12:22 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 5:06:08 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 4:50:57 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 4:44:55 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 2:48:18 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 25/08/2010 2:30:50 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

Log: 'Application' Date/Time: 24/08/2010 7:43:50 PM

Type: error Category: 0

Event: 1 Source: JavaQuickStarterService

The event description cannot be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 27/08/2010 9:40:35 PM

Type: error Category: 0

Event: 7026 Source: Service Control Manager

The following boot-start or system-start driver(s) failed to load: 15701311

Log: 'System' Date/Time: 27/08/2010 9:40:35 PM

Type: error Category: 0

Event: 7000 Source: Service Control Manager

The PacketiX VPN Client service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 27/08/2010 9:40:35 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The System Restore Service service terminated with the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 27/08/2010 9:40:34 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 27/08/2010 9:40:34 PM

Type: error Category: 0

Event: 104 Source: SRService

The System Restore initialization process failed.

Log: 'System' Date/Time: 27/08/2010 8:48:01 PM

Type: error Category: 0

Event: 7026 Source: Service Control Manager

The following boot-start or system-start driver(s) failed to load: 15701311

Log: 'System' Date/Time: 27/08/2010 8:48:01 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The System Restore Service service terminated with the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 27/08/2010 8:48:01 PM

Type: error Category: 0

Event: 7000 Source: Service Control Manager

The PacketiX VPN Client service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 27/08/2010 8:48:01 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 27/08/2010 8:47:59 PM

Type: error Category: 0

Event: 104 Source: SRService

The System Restore initialization process failed.

AutoRuns.zip

Attach.zip

Share this post


Link to post
Share on other sites

Curious why there are some Asian language versions of some software on the system. Did you put them on or do you speak or visit non English sites on purpose? Just want to make sure they're not their by some type of infection.

Did the system do a full disk check? It should have run for probably at least about 30 minutes or more.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Share this post


Link to post
Share on other sites

Hi,

Oh some games I used to play could only work if my system was set to Japanese. Though my system is set to English now. That full disk check was scan that happen after I ran that code, that windows based blue screen dos looking thing that loaded before I booted into windows? If so then yes and it did take around that much time. There's only one Java listing there, its Java 6 Update 10. When I try to uninstall it still says fatal error during installation.

Share this post


Link to post
Share on other sites

Well we need to clean up stuff first. Please run the JavaRA program listed above to remove all of Java for now.

Will get back with you again tomorrow for more items.

Make sure to make a backup of your data too. Always a good idea to have a backup.

Share this post


Link to post
Share on other sites

Okay good idea :P I ran JavaRA again and none of those folders exist. Just for a test I tried to install Java 6 again, still no luck.

Share this post


Link to post
Share on other sites
Well we need to clean up stuff first. Please run the JavaRA program listed above to remove all of Java for now.

First you must find a way to Remove the Very Old versions of Java - That is what AdvancedSetup is working on -

Thank You -

Share this post


Link to post
Share on other sites

STEP 01

Please uninstall the following software

spyware doctor

Spybot-S&D

Ad-Aware

STEP 02

Do you know what these drivers are? I don't find them on a Google search and they're all from the same day which is very odd

R0 15701312;15701312 Boot Guard Driver;c:\windows\system32\drivers\15701312.sys [2010-8-22 37392]

R0 37407542;37407542 Boot Guard Driver;c:\windows\system32\drivers\37407542.sys [2010-8-22 37392]

R1 37407541;37407541;c:\windows\system32\drivers\37407541.sys [2010-8-22 128016]

These drivers here look to be from maybe Chinese? Do yo need them, can we remove them?

R3 Neo_PangYa;VPN Client Device Driver - PangYa;c:\windows\system32\drivers\Neo_0067.sys [2008-12-3 22000]

S2 vpnclient;PacketiX VPN Client;"c:\program files\packetix vpn client english\vpnclient.exe" /service --> c:\program files\packetix vpn client english\vpnclient.exe [?]

STEP 03

After removing the above software and answering the questions please run Combofix again and allow it to update itelf if requested and post back the new log and your answers to the above questions.

Share this post


Link to post
Share on other sites

Hey, I've completed step one. For step two, the stuff installed on 2010-8-22, I don't know what that is, that was during my infection, it could be in relation to the malware I had during that time or any software I installed during that time to combat it. Everything I did/happened during that time frame is in my previous thread. For the Japanese drivers, I don't need that program anymore so we can remove them. For step three do I run combofix as .exe or .com? I tried running it as .com (just like I have previously) but the scan did not complete. The only thing I did differently was install the recovery console. I tried clicking the icon again but the DOS screen does not even open up. This happened once before and I believe I rebooted at it worked again.

P.S

I've been looking on the net for situations like mine with the Java installation program. I've found stuff here:

http://www.computing.net/answers/windows-x...ing/186709.html

http://www.techsupportforum.com/microsoft-...ion-failed.html

It's seems like it's always an issue with the registry. People have used programs like JavaRa with no luck. I hope it's okay to post these links Sorry if it's not allowed.

Share this post


Link to post
Share on other sites

It's possible the first set of drivers are from Kaspersky but since you no longer have Kasperksy installed then those drivers shouldn't be their either.

Please delete your current copy of Combofix and download a new fresh copy and try to run it please.

Make sure to disable the Avira Guard

Share this post


Link to post
Share on other sites

Here we go :P

ComboFix 10-08-28.02 - Owner 08/29/2010 23:42:17.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.271 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))

.

2010-08-28 01:55 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-28 01:55 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-28 01:55 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-28 01:55 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\program files\Avira

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-27 20:36 . 2010-08-27 20:36 -------- d-----w- C:\_OTM

2010-08-26 19:02 . 2010-08-26 19:02 -------- d-----w- c:\program files\ESET

2010-08-26 00:48 . 2010-08-26 00:58 -------- d-----w- C:\ERDNT

2010-08-24 23:25 . 2010-08-24 23:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2010-08-22 21:11 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\37407542.sys

2010-08-22 21:11 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3740754.sys

2010-08-22 21:11 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\37407541.sys

2010-08-22 21:06 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\15701312.sys

2010-08-22 21:06 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\1570131.sys

2010-08-20 00:21 . 2010-08-20 00:21 -------- d--h--w- c:\windows\PIF

2010-08-17 04:57 . 2010-08-17 04:57 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:09 . 2010-08-17 04:09 -------- d-----w- c:\program files\CCleaner

2010-08-17 04:06 . 2010-08-22 21:42 -------- d-----w- C:\ClamWinPortable

2010-08-16 23:05 . 2009-11-26 06:41 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05 . 2009-11-26 06:41 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05 . 2009-12-09 09:06 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Windows Sidebar

2010-08-16 23:04 . 2010-08-25 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-08-25 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 17:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 04:55 . 2010-08-16 04:55 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50 . 2010-08-16 04:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46 . 2010-08-16 04:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:45 . 2010-08-16 04:45 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:40 . 2010-08-16 04:40 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:37 . 2010-08-16 04:37 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:33 . 2010-08-16 04:33 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31 . 2010-08-16 04:31 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29 . 2010-08-16 04:29 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27 . 2010-08-16 04:27 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25 . 2010-08-16 04:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23 . 2010-08-16 04:23 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22 . 2010-08-16 04:22 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:17 . 2010-08-16 04:17 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16 . 2010-08-16 04:16 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13 . 2010-08-16 04:13 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09 . 2010-08-16 04:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08 . 2010-08-16 04:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50 . 2010-08-16 03:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48 . 2010-08-16 03:48 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46 . 2010-08-16 03:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44 . 2010-08-16 03:44 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42 . 2010-08-16 03:42 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25 . 2010-08-16 03:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20 . 2010-08-16 03:20 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15 . 2010-08-16 03:15 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12 . 2010-08-16 03:12 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09 . 2010-08-16 03:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08 . 2010-08-16 03:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02 . 2010-08-16 03:02 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40 . 2010-08-21 01:45 -------- d-----w- C:\NSS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-29 15:31 . 2010-06-05 02:36 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-29 15:25 . 2010-06-05 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-29 15:25 . 2006-02-18 04:10 -------- d-----w- c:\program files\Lavasoft

2010-08-29 15:25 . 2008-12-20 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-29 15:24 . 2008-12-25 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-28 05:32 . 2005-02-22 12:06 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

2010-08-25 18:28 . 2006-02-18 03:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-24 00:22 . 2006-02-18 04:12 -------- d-----w- c:\program files\Steam

2010-08-22 16:22 . 2006-10-09 03:52 -------- d-----w- c:\program files\Winamp

2010-08-22 16:20 . 2007-05-27 04:33 -------- d-----w- c:\program files\Starcraft

2010-08-22 16:19 . 2006-02-25 21:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein

2010-08-22 16:18 . 2010-06-18 05:03 -------- d-----w- c:\program files\Realtek AC97

2010-08-22 16:18 . 2006-04-04 01:51 -------- d-----w- c:\program files\mobile PhoneTools

2010-08-22 16:18 . 2009-09-17 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-22 16:18 . 2007-11-15 20:25 -------- d-----w- c:\program files\LG PC Suite 2

2010-08-22 16:17 . 2008-09-13 06:13 -------- d-----w- c:\program files\Proxifier

2010-08-22 16:17 . 2007-04-04 16:48 -------- d-----w- c:\program files\PowerPoint Viewer

2010-08-22 16:01 . 2006-09-08 01:13 -------- d-----w- c:\program files\DVD Decrypter

2010-08-22 15:56 . 2006-03-15 02:12 -------- d-----w- c:\program files\Doom 3

2010-08-22 15:53 . 2006-07-23 05:47 -------- d-----w- c:\program files\Common Files\Ntreev

2010-08-22 15:53 . 2007-06-05 01:36 -------- d-----w- c:\program files\BitTorrent

2010-08-22 15:52 . 2006-02-25 21:08 -------- d-----w- c:\program files\Quake III Arena

2010-08-17 19:49 . 2007-04-22 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-08-08 07:08 . 2010-06-06 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-25 21:25 . 2010-02-16 03:34 256 ----a-w- c:\windows\system32\pool.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe.XXX [2006-3-5 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Afaria Client Generic Scheduler.lnk - c:\program files\AClient\Bin\XCGSTask.exe.XXX [2007-4-4 438272]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Persona\\Persona.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

R0 15701312;15701312 Boot Guard Driver;c:\windows\system32\drivers\15701312.sys [8/22/2010 5:06 PM 37392]

R0 37407542;37407542 Boot Guard Driver;c:\windows\system32\drivers\37407542.sys [8/22/2010 5:11 PM 37392]

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/1/2004 5:02 AM 6016]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 AM 97408]

R1 37407541;37407541;c:\windows\system32\drivers\37407541.sys [8/22/2010 5:11 PM 128016]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/27/2010 9:55 PM 135336]

R3 Neo_PangYa;VPN Client Device Driver - PangYa;c:\windows\system32\drivers\Neo_0067.sys [12/3/2008 10:20 PM 22000]

S1 15701311;15701311;c:\windows\system32\DRIVERS\15701311.sys --> c:\windows\system32\DRIVERS\15701311.sys [?]

S2 vpnclient;PacketiX VPN Client;"c:\program files\PacketiX VPN Client English\vpnclient.exe" /service --> c:\program files\PacketiX VPN Client English\vpnclient.exe [?]

S3 NPFWFLT;NPFWFLT;c:\windows\system32\npfwflt.sys [8/11/2007 2:16 AM 31104]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

uInternet Settings,ProxyOverride = local

DPF: {116D8D4C-E19A-46D0-95DC-4EA2663703BE} - hxxp://login.hanbiton.com/cab/Hanbiton_Mb424.cab

DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab

DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - hxxp://update.nprotect.net/npscan2006/kor/nps.cab

DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://acs.yescard.co.kr/XecureObject/xw_install.cab

DPF: {987ECFCE-E607-4D52-B2C5-2EA1F6F303C4} - hxxp://www.pangya.com/PangyaLauncher/PangyaLauncher.cab

DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://secure.kcp.co.kr/webpay/v3d/file/kcp_ansimclick.cab

DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} - hxxps://plugin.inicis.com/wallet50/INIwallet50.cab

DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxps://acs1.lottecard.co.kr/visa3d/kdfense/kdfense8234.cab

DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.lgcard.com/infovine/VineTransfer.cab

DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab

DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab

DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab

DPF: {F58E877C-4F14-4805-B2D2-EB48927C7580} - hxxp://dist.cdnetworks.co.kr/cdndist/streamport/SPort.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-Win 32. Backdoor . Poison Ivy Removal Tool_is1 - c:\program files\Win 32. Backdoor . Poison Ivy Removal Tool\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-29 23:47

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2244)

c:\windows\system32\msi.dll

.

Completion time: 2010-08-29 23:49:49

ComboFix-quarantined-files.txt 2010-08-30 03:49

Pre-Run: 57,938,976,768 bytes free

Post-Run: 57,950,142,464 bytes free

- - End Of File - - 4628FB1F7A2D49AF8FE362EAC7E73ED8

Share this post


Link to post
Share on other sites

STEP 01

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

Then restart the computer

STEP 02

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::

15701312

37407542

37407541

Neo_PangYa

15701311

vpnclient

NPFWFLT

XDva219

File::

c:\program files\PacketiX VPN Client English\vpnclient.exe

c:\windows\system32\????@backup.vpn_client.co

c:\windows\system32\??@backup.vpn_client.co

c:\windows\system32\drivers\1570131.sys

c:\windows\system32\DRIVERS\15701311.sys

c:\windows\system32\drivers\15701312.sys

c:\windows\system32\drivers\3740754.sys

c:\windows\system32\drivers\37407541.sys

c:\windows\system32\drivers\37407542.sys

c:\windows\system32\drivers\Neo_0067.sys

c:\windows\system32\npfwflt.sys

c:\windows\system32\XDva219.sys

c:\windows\system32\

Share this post


Link to post
Share on other sites

All done :blush:

ComboFix 10-08-29.04 - Owner 08/30/2010 11:36:16.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.216 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\program files\PacketiX VPN Client English\vpnclient.exe"

"c:\windows\system32\??@backup.vpn_client.co"

"c:\windows\system32\drivers\1570131.sys"

"c:\windows\system32\DRIVERS\15701311.sys"

"c:\windows\system32\drivers\15701312.sys"

"c:\windows\system32\drivers\3740754.sys"

"c:\windows\system32\drivers\37407541.sys"

"c:\windows\system32\drivers\37407542.sys"

"c:\windows\system32\drivers\Neo_0067.sys"

"c:\windows\system32\npfwflt.sys"

"c:\windows\system32\XDva219.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Lavasoft

c:\documents and settings\All Users\Application Data\Lavasoft\License\adaware.da2

c:\documents and settings\All Users\Application Data\Lavasoft\MiniMessage\2

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100604-2310.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100604-2343.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100604-2345.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100604-2345.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100605-0016.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100605-0455.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100605-0515.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0017.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0115.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0210.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0409.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0425.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0628.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0707.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100616-0707.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100807-1915.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100807-1941.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100807-2219.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100807-2253.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100807-2316.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100808-0124.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100808-0125.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100808-0125.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1356.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1457.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1510.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1720.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1821.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1844.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-1847.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100813-2053.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100814-0159.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100814-0226.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100815-1543.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100815-1631.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.100815-1830.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100604-2344.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100604-2345.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100605-0050.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100616-0203.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100616-0422.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100807-2218.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100807-2303.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100813-1459.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100813-1821.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.100815-1838.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Run Entry History.txt

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Update downloads.log

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\ProcCache.sbc

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAVSecuritySuite.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAVSecuritySuite1.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAVSecuritySuite2.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAVSecuritySuite3.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard1.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard10.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard11.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard12.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard13.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard2.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard3.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard4.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard5.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard6.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard7.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard8.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard9.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx1.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot1.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot10.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot11.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot12.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot2.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot3.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot4.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot5.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot6.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot7.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot8.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot9.zip

c:\program files\Lavasoft

c:\program files\Spybot - Search & Destroy

c:\program files\Spybot - Search & Destroy\advcheck.dll

c:\program files\Spybot - Search & Destroy\Dummies\Thumbs.db

c:\windows\system32\drivers\1570131.sys

c:\windows\system32\drivers\15701312.sys

c:\windows\system32\drivers\3740754.sys

c:\windows\system32\drivers\37407541.sys

c:\windows\system32\drivers\37407542.sys

c:\windows\system32\drivers\Neo_0067.sys

c:\windows\system32\npfwflt.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_15701311

-------\Legacy_15701312

-------\Legacy_37407541

-------\Legacy_37407542

-------\Legacy_NPFWFLT

-------\Legacy_VPNCLIENT

-------\Legacy_XDVA219

-------\Service_15701311

-------\Service_15701312

-------\Service_37407541

-------\Service_37407542

-------\Service_Neo_PangYa

-------\Service_NPFWFLT

-------\Service_vpnclient

-------\Service_XDva219

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))

.

2010-08-28 01:55 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-28 01:55 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-28 01:55 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-28 01:55 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\program files\Avira

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-27 20:36 . 2010-08-27 20:36 -------- d-----w- C:\_OTM

2010-08-26 19:02 . 2010-08-26 19:02 -------- d-----w- c:\program files\ESET

2010-08-26 00:48 . 2010-08-26 00:58 -------- d-----w- C:\ERDNT

2010-08-24 23:25 . 2010-08-24 23:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2010-08-20 00:21 . 2010-08-20 00:21 -------- d--h--w- c:\windows\PIF

2010-08-17 04:57 . 2010-08-17 04:57 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:09 . 2010-08-17 04:09 -------- d-----w- c:\program files\CCleaner

2010-08-17 04:06 . 2010-08-22 21:42 -------- d-----w- C:\ClamWinPortable

2010-08-16 23:05 . 2009-11-26 06:41 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05 . 2009-11-26 06:41 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05 . 2009-12-09 09:06 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Windows Sidebar

2010-08-16 23:04 . 2010-08-25 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-08-25 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 17:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 04:55 . 2010-08-16 04:55 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50 . 2010-08-16 04:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46 . 2010-08-16 04:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:45 . 2010-08-16 04:45 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:40 . 2010-08-16 04:40 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:37 . 2010-08-16 04:37 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:33 . 2010-08-16 04:33 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31 . 2010-08-16 04:31 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29 . 2010-08-16 04:29 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27 . 2010-08-16 04:27 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25 . 2010-08-16 04:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23 . 2010-08-16 04:23 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22 . 2010-08-16 04:22 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:17 . 2010-08-16 04:17 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16 . 2010-08-16 04:16 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13 . 2010-08-16 04:13 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09 . 2010-08-16 04:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08 . 2010-08-16 04:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50 . 2010-08-16 03:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48 . 2010-08-16 03:48 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46 . 2010-08-16 03:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44 . 2010-08-16 03:44 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42 . 2010-08-16 03:42 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25 . 2010-08-16 03:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20 . 2010-08-16 03:20 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15 . 2010-08-16 03:15 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12 . 2010-08-16 03:12 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09 . 2010-08-16 03:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08 . 2010-08-16 03:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02 . 2010-08-16 03:02 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40 . 2010-08-21 01:45 -------- d-----w- C:\NSS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-29 15:24 . 2008-12-25 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-28 05:32 . 2005-02-22 12:06 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

2010-08-25 18:28 . 2006-02-18 03:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-24 00:22 . 2006-02-18 04:12 -------- d-----w- c:\program files\Steam

2010-08-22 16:22 . 2006-10-09 03:52 -------- d-----w- c:\program files\Winamp

2010-08-22 16:20 . 2007-05-27 04:33 -------- d-----w- c:\program files\Starcraft

2010-08-22 16:19 . 2006-02-25 21:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein

2010-08-22 16:18 . 2010-06-18 05:03 -------- d-----w- c:\program files\Realtek AC97

2010-08-22 16:18 . 2006-04-04 01:51 -------- d-----w- c:\program files\mobile PhoneTools

2010-08-22 16:18 . 2009-09-17 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-22 16:18 . 2007-11-15 20:25 -------- d-----w- c:\program files\LG PC Suite 2

2010-08-22 16:17 . 2008-09-13 06:13 -------- d-----w- c:\program files\Proxifier

2010-08-22 16:17 . 2007-04-04 16:48 -------- d-----w- c:\program files\PowerPoint Viewer

2010-08-22 16:01 . 2006-09-08 01:13 -------- d-----w- c:\program files\DVD Decrypter

2010-08-22 15:56 . 2006-03-15 02:12 -------- d-----w- c:\program files\Doom 3

2010-08-22 15:53 . 2006-07-23 05:47 -------- d-----w- c:\program files\Common Files\Ntreev

2010-08-22 15:53 . 2007-06-05 01:36 -------- d-----w- c:\program files\BitTorrent

2010-08-22 15:52 . 2006-02-25 21:08 -------- d-----w- c:\program files\Quake III Arena

2010-08-17 19:49 . 2007-04-22 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-08-08 07:08 . 2010-06-06 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-25 21:25 . 2010-02-16 03:34 256 ----a-w- c:\windows\system32\pool.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe.XXX [2006-3-5 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Afaria Client Generic Scheduler.lnk - c:\program files\AClient\Bin\XCGSTask.exe.XXX [2007-4-4 438272]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/1/2004 5:02 AM 6016]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 AM 97408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/27/2010 9:55 PM 135336]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-30 11:44

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\Ati2evxx.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\npkcmsvc.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Completion time: 2010-08-30 11:46:53 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-30 15:46

ComboFix2.txt 2010-08-30 03:49

Pre-Run: 57,946,861,568 bytes free

Post-Run: 57,883,262,976 bytes free

- - End Of File - - 126A590392A28B99F2244D2A0EA8A388

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 12:00:03.39 on Mon 08/30/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.270 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\npkcmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [soundMan] SOUNDMAN.EXE

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe.XXX

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\afaria~1.lnk - c:\program files\aclient\bin\XCGSTask.exe.XXX

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} - hxxp://www.albatross18.com/cabs/A18X.ocx

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxps://ansim.suhyup.co.kr/scsk4.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://vbv.lgcard.com/popup/npkcx_lg.cab

Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ddqu81zm.default\

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2004-6-1 6016]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-5-12 97408]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-27 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-27 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-27 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-27 60936]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-08-29 16:14:41 0 d-sha-r- C:\cmdcons

2010-08-29 16:12:23 98816 ----a-w- c:\windows\sed.exe

2010-08-29 16:12:23 77312 ----a-w- c:\windows\MBR.exe

2010-08-29 16:12:23 256512 ----a-w- c:\windows\PEV.exe

2010-08-29 16:12:23 161792 ----a-w- c:\windows\SWREG.exe

2010-08-28 01:55:51 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-28 01:55:50 0 d-----w- c:\program files\Avira

2010-08-28 01:55:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-08-27 20:36:37 0 d-----w- C:\_OTM

2010-08-26 19:02:33 0 d-----w- c:\program files\ESET

2010-08-24 23:51:27 0 d-----w- c:\windows\pss

2010-08-20 00:21:00 0 d--h--w- c:\windows\PIF

2010-08-17 04:57:26 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:09:01 0 d-----w- c:\program files\CCleaner

2010-08-17 04:06:48 0 d-----w- C:\ClamWinPortable

2010-08-16 23:05:37 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05:37 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05:37 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05:35 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

2010-08-16 23:03:04 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller

2010-08-16 17:52:10 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-08-16 17:52:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-16 17:52:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 17:52:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 04:55:32 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50:59 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:45:00 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:40:15 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:37:36 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:33:04 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31:03 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29:48 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27:17 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25:17 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23:46 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22:45 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:17:11 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16:10 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13:29 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09:57 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08:27 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44:01 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42:31 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25:04 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20:21 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19:21 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15:08 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12:26 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09:33 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08:02 0 d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02:16 0 d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40:34 0 d-----w- C:\NSS

2010-08-06 16:08:47 520 ----a-w- c:\windows\_delis32.ini

==================== Find3M ====================

2010-08-28 05:32:07 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

============= FINISH: 12:00:13.81 ===============

Attach.zip

AutoRuns.zip

Share this post


Link to post
Share on other sites

STEP 01

Are you still running any games that require the nProtect GameGuard Service ?

This still shows as being in your Control Panel, Add/Remove - Java™ 6 Update 10

STEP 02

Do you need or still use this program?

K-Defense8 Control appears to be a Korean networking tool

STEP 03

All of these still show in the Control Panel, Add/Remove as well that I thought you removed already.

PacketiX VPN Client (English)

Pangya (Ntreev USA)

PangYa_Cb_Jp (NtreevSoft)

Pangya_Jp (NtreevSoft)

STEP 04

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

DDS::

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = hxxp://sys.us.shuttle.com/

BHO: Java

Share this post


Link to post
Share on other sites

For step one, I do still have names that require nProtect and that's the only version of Java I have installed and that's the one I've been trying to get rid off. Every time I try uninstalling it I get fatal error during installation. So I believe this is part of the reason why I can't install Java 6 update 21. For step two, K-Defense8 Control, I don't need that. It shows up on in my add/remove programs list, should I uninstall it? For step three PacketiX VPN Client was one of the programs that was attacked by the virus that I noticed, so before getting help here I deleted the entire folder in safe mode since I saw those processes were running and every time I ended the task it would start again. It still shows up in my add/remove programs as well. I don't need it anymore though. For the Pangya stuff I never did remove them. For step five, I cant remove Java 6 Update 10, I keep on getting fatal error during installation. However I ran JavaRa and completed the rest of the steps. Here are my logs :) :

ComboFix 10-08-31.01 - Owner 08/31/2010 13:40:15.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.189 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\docume~1\Owner\LOCALS~1\Temp\mbr.sys"

"c:\docume~1\Owner\LOCALS~1\Temp\RarSFX0\redist.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk

c:\docume~1\alluse~1\startm~1\programs\startup\afaria~1.lnk

c:\program files\aclient\bin\XCGSTask.exe.XXX

c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe.XXX

.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))

.

2010-08-30 17:59 . 2010-08-30 17:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira

2010-08-28 01:55 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-08-28 01:55 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-28 01:55 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-08-28 01:55 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\program files\Avira

2010-08-28 01:55 . 2010-08-28 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-08-27 20:36 . 2010-08-27 20:36 -------- d-----w- C:\_OTM

2010-08-26 19:02 . 2010-08-26 19:02 -------- d-----w- c:\program files\ESET

2010-08-26 00:48 . 2010-08-26 00:58 -------- d-----w- C:\ERDNT

2010-08-24 23:25 . 2010-08-24 23:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2010-08-20 00:21 . 2010-08-20 00:21 -------- d--h--w- c:\windows\PIF

2010-08-17 04:57 . 2010-08-17 04:57 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-17 04:09 . 2010-08-17 04:09 -------- d-----w- c:\program files\CCleaner

2010-08-17 04:06 . 2010-08-22 21:42 -------- d-----w- C:\ClamWinPortable

2010-08-16 23:05 . 2009-11-26 06:41 172592 ----a-r- c:\windows\system32\drivers\SymEFA.sys

2010-08-16 23:05 . 2009-11-26 06:41 116272 ----a-r- c:\windows\system32\drivers\Ironx86.sys

2010-08-16 23:05 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\SymDS.sys

2010-08-16 23:05 . 2009-12-09 09:06 501888 ----a-r- c:\windows\system32\drivers\cchpx86.sys

2010-08-16 23:04 . 2010-08-16 23:04 -------- d-----w- c:\program files\Windows Sidebar

2010-08-16 23:04 . 2010-08-25 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-08-16 23:03 . 2010-08-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-16 17:52 . 2010-08-16 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-16 17:52 . 2010-08-25 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-16 17:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-16 04:55 . 2010-08-16 04:55 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:50 . 2010-08-16 04:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:46 . 2010-08-16 04:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:45 . 2010-08-16 04:45 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:40 . 2010-08-16 04:40 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:37 . 2010-08-16 04:37 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:33 . 2010-08-16 04:33 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:31 . 2010-08-16 04:31 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:29 . 2010-08-16 04:29 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:27 . 2010-08-16 04:27 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:25 . 2010-08-16 04:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:23 . 2010-08-16 04:23 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:22 . 2010-08-16 04:22 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:17 . 2010-08-16 04:17 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:16 . 2010-08-16 04:16 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-16 04:13 . 2010-08-16 04:13 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:09 . 2010-08-16 04:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 04:08 . 2010-08-16 04:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:50 . 2010-08-16 03:50 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:48 . 2010-08-16 03:48 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:46 . 2010-08-16 03:46 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:44 . 2010-08-16 03:44 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:42 . 2010-08-16 03:42 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:25 . 2010-08-16 03:25 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:20 . 2010-08-16 03:20 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:19 . 2010-08-16 03:19 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:15 . 2010-08-16 03:15 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:12 . 2010-08-16 03:12 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:09 . 2010-08-16 03:09 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:08 . 2010-08-16 03:08 -------- d-----w- c:\windows\system32\????@backup.vpn_client.co

2010-08-16 03:02 . 2010-08-16 03:02 -------- d-----w- c:\windows\system32\??@backup.vpn_client.co

2010-08-06 23:40 . 2010-08-21 01:45 -------- d-----w- C:\NSS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-29 15:24 . 2008-12-25 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-08-28 05:32 . 2005-02-22 12:06 160344 ----a-w- c:\windows\system32\FNTCACHE.DAT

2010-08-25 18:28 . 2006-02-18 03:47 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-08-24 00:22 . 2006-02-18 04:12 -------- d-----w- c:\program files\Steam

2010-08-22 16:22 . 2006-10-09 03:52 -------- d-----w- c:\program files\Winamp

2010-08-22 16:20 . 2007-05-27 04:33 -------- d-----w- c:\program files\Starcraft

2010-08-22 16:19 . 2006-02-25 21:37 -------- d-----w- c:\program files\Return to Castle Wolfenstein

2010-08-22 16:18 . 2010-06-18 05:03 -------- d-----w- c:\program files\Realtek AC97

2010-08-22 16:18 . 2006-04-04 01:51 -------- d-----w- c:\program files\mobile PhoneTools

2010-08-22 16:18 . 2009-09-17 01:50 -------- d-----w- c:\program files\Microsoft

2010-08-22 16:18 . 2007-11-15 20:25 -------- d-----w- c:\program files\LG PC Suite 2

2010-08-22 16:17 . 2008-09-13 06:13 -------- d-----w- c:\program files\Proxifier

2010-08-22 16:17 . 2007-04-04 16:48 -------- d-----w- c:\program files\PowerPoint Viewer

2010-08-22 16:01 . 2006-09-08 01:13 -------- d-----w- c:\program files\DVD Decrypter

2010-08-22 15:56 . 2006-03-15 02:12 -------- d-----w- c:\program files\Doom 3

2010-08-22 15:53 . 2006-07-23 05:47 -------- d-----w- c:\program files\Common Files\Ntreev

2010-08-22 15:53 . 2007-06-05 01:36 -------- d-----w- c:\program files\BitTorrent

2010-08-22 15:52 . 2006-02-25 21:08 -------- d-----w- c:\program files\Quake III Arena

2010-08-17 19:49 . 2007-04-22 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-08-08 07:08 . 2010-06-06 02:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-25 21:25 . 2010-02-16 03:34 256 ----a-w- c:\windows\system32\pool.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/1/2004 5:02 AM 6016]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/12/2004 2:01 AM 97408]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/27/2010 9:55 PM 135336]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ddqu81zm.default\

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-31 13:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-08-31 13:48:03

ComboFix-quarantined-files.txt 2010-08-31 17:48

ComboFix2.txt 2010-08-30 15:46

ComboFix3.txt 2010-08-30 03:49

Pre-Run: 57,799,602,176 bytes free

Post-Run: 57,793,597,440 bytes free

- - End Of File - - A93C1A5875F5131CF1DEB56536011D70

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 26 18:09:48 2010

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_10

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_16

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_17

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_19

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_20

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\JavaPlugin.160_10

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_10

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_10

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: Software\Classes\JavaPlugin.160_10

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_10

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_10

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 26 18:20:05 2010

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 26 18:22:26 2010

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 26 19:55:15 2010

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Fri Aug 27 09:58:10 2010

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Aug 28 06:03:42 2010

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Aug 31 13:55:58 2010

------------------------------------

Finished reporting.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 1:57:30 PM, on 8/31/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\npkcmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll

O14 - IERESET.INF: START_PAGE_URL=http://sys.us.shuttle.com

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

--

End of file - 4307 bytes

Share this post


Link to post
Share on other sites

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup235_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS including your Web Browser
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts
  • Then click on the TOOLS button and on the right side click the Uninstall button and locate the programs listed that give you an error removing and Delete the entry.

STEP 02

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from here
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected.

    [*]Click on OK

    [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 03

Please download and run this program: Dial-a-fix

Pretty much check everything and have it repair it.

dialafix.png

STEP 04

Please download the following Service Pack 3 installer for Windows XP and then disable your Anti-Virus and run the SP3 update.

Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers

Then post back when the above steps have been completed please.

Share this post


Link to post
Share on other sites

Hi, I've followed all the steps for step one and I've download all the programs for the rest of the steps. I just wanted ask if I could continue after this step. You said to locate the programs I had errors removing and delete the entry. However when I try to delete Java 6 Update 10 I get this error "Can not delete MSI installer". Should I proceed with the rest of the steps regardless?

Share this post


Link to post
Share on other sites

Yes, please go ahead and proceed. We may have to do some manual registry cleanup but let's see how the other stuff works out and tackle that when we need to.

Share this post


Link to post
Share on other sites

Please open REGEDIT and search for JAVA

Then right click and copy the key name for any locations found and save them to notepad and post the key path names back here please.

Hopefully it shouldn't be too many. If it starts to be more than a dozen let me know.

Share this post


Link to post
Share on other sites

I dont know if I did it correctly but here are some of my results:

HKEY_CLASSES_ROOT\.java

HKEY_CLASSES_ROOT\.jnlp

HKEY_CLASSES_ROOT\CLSID\{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}

HKEY_CLASSES_ROOT\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\ProgID

HKEY_CLASSES_ROOT\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\VersionIndependentProgID

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0013-0001-FFFF-ABCDEFFEDCBA}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}

HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}\InprocServer32

I stopped after 16

Share this post


Link to post
Share on other sites

Hmm Let me review some other tools for this. Make sure you do not include anything with MS or Microsoft in it or Javascript. Java and Javascript are very different animals.

While I research another tool please scan with DDS again and post back the new logs.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Share this post


Link to post
Share on other sites

Oh okay got it, here are my logs ;) :

DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 2:28:16.50 on Thu 09/02/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.281 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\npkcmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [soundMan] SOUNDMAN.EXE

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Notify: AtiExtEvent - Ati2evxx.dll

LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ddqu81zm.default\

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2004-6-1 6016]

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-5-12 97408]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-27 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-27 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-27 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-27 60936]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-09-01 21:20:03 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-09-01 21:12:59 32866 ------w- c:\windows\slrundll.exe

2010-09-01 21:12:59 0 d-----w- c:\windows\system32\scripting

2010-09-01 21:12:58 0 d-----w- c:\windows\l2schemas

2010-09-01 21:12:57 0 d-----w- c:\windows\system32\en

2010-09-01 21:12:57 0 d-----w- c:\windows\system32\bits

2010-09-01 21:10:27 0 d-----w- c:\windows\ServicePackFiles

2010-09-01 21:10:03 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2010-09-01 21:04:15 19569 ----a-w- c:\windows\002621_.tmp

2010-09-01 21:03:59 26488 ----a-w- c:\windows\system32\spupdsvc.exe

2010-09-01 21:01:00 0 d-----w- c:\windows\EHome

2010-08-29 16:14:41 0 d-sha-r- C:\cmdcons

2010-08-29 16:12:23 98816 ----a-w- c:\windows\sed.exe

2010-08-29 16:12:23 77312 ----a-w- c:\windows\MBR.exe

2010-08-29 16:12:23 256512 ----a-w- c:\windows\PEV.exe

2010-08-29 16:12:23 161792 ----a-w- c:\windows\SWREG.exe

2010-08-28 01:55:51 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-28 01:55:50 0 d-----w- c:\program files\Avira

2010-08-28 01:55:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-08-27 20:36:37 0 d-----w- C:\_OTM

2010-08-26 19:02:33 0 d-----w- c:\program files\ESET

2010-08-24 23:51:27 0 d-----w- c:\windows\pss

2010-08-20 00:21:00 0 d--h--w- c:\windows\PIF

2010-08-17 04:57:26 0 d-----w- c:\windows\system32\?

Attach.zip

Share this post


Link to post
Share on other sites

Please open REGEDIT and browse to this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Then export it and save it as a HIVE using the drop down list. Then zip up the file and attach it to your next reply if it's not too large. If it's too large to post then use some site like rapidshare.com to post it and send me a link to it.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.