[Aravinth]

Hi Handhfan,

Combofix.txt


ComboFix 09-03-27.02 - Ar@vinth 2009-03-28 23:00:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1357 [GMT 3:00]
Running from: c:\documents and settings\Ar@vinth\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\_000005_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PCIDump


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 17:27 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-28 17:20 . 2009-03-28 17:20 <DIR> d-------- c:\program files\Panda Security
2009-03-27 09:49 . 2009-03-28 23:08 85,254,176 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-27 09:49 . 2009-03-28 23:03 1,001,204 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-26 11:54 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\56228582.sys
2009-03-26 08:55 . 2009-03-26 11:43 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-24 21:21 . 2009-03-24 21:21 <DIR> d-------- C:\_OTListIt
2009-03-22 15:30 . 2009-03-28 22:46 <DIR> d-------- c:\documents and settings\Ar@vinth\Tracing
2009-03-22 14:43 . 2009-03-22 14:43 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-22 14:43 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-22 14:40 . 2009-03-22 14:40 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-22 14:40 . 2009-03-22 14:43 <DIR> d-------- c:\program files\Microsoft
2009-03-22 13:21 . 2009-03-22 13:21 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-22 07:33 . 2009-03-22 07:34 <DIR> d-------- C:\Rooter$
2009-03-21 09:43 . 2009-03-21 09:43 <DIR> d--hs---- c:\documents and settings\Ar@vinth\IECompatCache
2009-03-21 09:42 . 2009-03-21 09:42 <DIR> d--hs---- c:\documents and settings\Ar@vinth\PrivacIE
2009-03-21 09:41 . 2009-03-21 09:41 <DIR> d--hs---- c:\documents and settings\Ar@vinth\IETldCache
2009-03-21 09:34 . 2009-03-21 09:34 <DIR> d-------- c:\windows\ie8updates
2009-03-21 09:33 . 2009-03-21 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-21 09:31 . 2009-03-21 09:33 <DIR> d--h-c--- c:\windows\ie8
2009-03-21 09:29 . 2009-02-28 07:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-21 00:02 . 2009-03-21 00:02 <DIR> d-------- c:\windows\Google Earth Pro 4.2
2009-03-20 17:05 . 2009-03-20 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-03-18 18:19 . 2009-03-18 18:19 244 --ah----- C:\sqmnoopt03.sqm
2009-03-18 18:19 . 2009-03-18 18:19 232 --ah----- C:\sqmdata03.sqm
2009-03-10 08:14 . 2009-03-28 18:06 <DIR> d-------- C:\Splinter Cell
2009-03-09 15:55 . 2008-04-14 00:16 37,888 --a------ c:\windows\system32\drivers\bthmodem.sys
2009-03-09 15:55 . 2008-04-14 00:16 37,888 --a--c--- c:\windows\system32\dllcache\bthmodem.sys
2009-03-09 00:56 . 2009-03-15 14:11 <DIR> d-------- c:\windows\system32\Adobe
2009-03-08 20:22 . 2009-03-08 20:22 <DIR> d-------- c:\documents and settings\Ar@vinth\Application Data\PowerChallenge
2009-03-08 20:17 . 2009-03-08 20:17 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 14:22 . 2009-03-08 14:22 1,241,088 --------- c:\windows\system32\ieframe.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-28 13:14 --------- d-----w c:\program files\Nokia
2009-03-28 13:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 19:14 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\uTorrent
2009-03-26 13:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 13:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 11:43 --------- d-----w c:\program files\Windows Live
2009-03-22 04:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 04:27 --------- d-----w c:\program files\AGEIA Technologies
2009-03-21 06:33 --------- d-----w c:\program files\Yahoo!
2009-03-21 06:33 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\yahoo!
2009-03-21 06:33 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-20 14:33 --------- d-----w c:\program files\Google
2009-03-08 17:29 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\Skype
2009-03-08 17:17 --------- d-----w c:\program files\Java
2009-03-08 15:46 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\skypePM
2009-03-07 11:13 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\Apple Computer
2009-03-07 06:16 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\dvdcss
2009-02-24 22:14 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-10 16:50 --------- d-----w c:\program files\CPA Test Prep
2009-02-09 18:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 16:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-01 19:25 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-22 08:24 3,416 ----a-w c:\windows\inf\jlt3c.zip
2007-09-05 08:02 90,112 ----a-w c:\windows\inf\hasc.exe
2007-09-05 08:02 61,440 ----a-w c:\windows\inf\ctcr.exe
2007-09-05 08:02 31,744 ----a-w c:\windows\inf\ritu.exe
2005-03-17 13:40 531,284 ----a-w c:\windows\inf\printer.exe
2008-07-16 11:52 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071620080717\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-16 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 18:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 07:54 133104 c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-01-29 17:47 16859648 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Tally License Server"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ar@vinth\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Chaos Group\\V-Ray\\3dsmax R9 for x86\\vrlserver.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-28 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R1 is-EF1JAdrv;is-EF1JAdrv;c:\windows\system32\drivers\56228582.sys [2009-03-26 148496]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-03-22 55152]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 iadusb;Conexant USB IAD LAN Modem;c:\windows\system32\drivers\glauiad.sys [2008-12-07 30336]
S0 oxcbnuz;oxcbnuz;c:\windows\system32\drivers\fomhf.sys --> c:\windows\system32\drivers\fomhf.sys [?]
S2 EsetNod32Fix;Nod32 AV;c:\windows\regedit.exe [2008-04-14 146432]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 Tally License Server;Tally License Server (NT);c:\tally\tallylicserver.exe -s --> c:\tally\tallylicserver.exe -s [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 07:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ar@vinth\Application Data\Mozilla\Firefox\Profiles\zeoourzw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 23:08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1844237615-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,81,b0,c1,04,9e,94,a1,8f,20,ea,37,96,d6,42,94,70,f7,91,13,be,f8,b4,
8c,71,80,71,71,aa,a1,48,b4,92,2c,1b,60,d6,ac,d7,1d,ef,18,cc,9c,17,fd,c8,e6,\
"??"=hex:0a,ad,90,f0,65,3c,48,de,9a,dd,e5,c4,ed,13,f0,dd

[HKEY_USERS\S-1-5-21-436374069-1844237615-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:db,56,93,01,27,59,7e,b9,1b,73,33,5b,d9,5b,02,d3,be,57,ff,1c,5f,
6a,f4,b4,1a,08,34,a9,42,01,5c,9e,cc,91,04,b2,65,4a,06,f2,1a,39,f3,60,c4,40,\
"rkeysecu"=hex:64,3d,37,65,79,98,97,34,7f,6d,a2,b8,45,60,3c,d4
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-28 23:11:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 20:11:30
ComboFix2.txt 2008-11-08 19:12:33

Pre-Run: 1,124,466,688 bytes free
Post-Run: 1,074,081,792 bytes free

282 --- E O F --- 2009-03-28 19:53:31

[Advertisements]

hi Handhfan,

I want to knw whether i could delete the folders that OTList, Rooter and Combofix put onto my computer.

Folder names

_OTListIt
Combofix (empty)
Rooter$
Qoobox


Thanks

[Aravinth]

hi Handhfan,

I want to knw whether i could delete the folders that OTList, Rooter and Combofix put onto my computer.

Folder names

_OTListIt
Combofix (empty)
Rooter$
Qoobox


Thanks

[handhfan]

Not quite yet. We still still be needing these tools. At the end of this topic, we will clean everything up as well as give prevention tips.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
oxcbnuz

File::
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
c:\windows\system32\drivers\fomhf.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]

Reboot::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




Please post the new ComboFix log in your next reply.

[Aravinth]

Hi Handhfan,


ComboFix 09-03-29.04 - Ar@vinth 2009-03-31 0:03:32.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.902 [GMT 3:00]
Running from: c:\documents and settings\Ar@vinth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ar@vinth\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
* Resident AV is active


FILE ::
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
c:\windows\system32\drivers\fomhf.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_oxcbnuz


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 10:03 . 2009-03-30 10:03 <DIR> d-------- c:\documents and settings\Ar@vinth\Application Data\vlc
2009-03-29 11:22 . 2009-03-29 11:22 <DIR> d-------- c:\program files\Common Files\xing shared
2009-03-28 17:27 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-28 17:20 . 2009-03-28 17:20 <DIR> d-------- c:\program files\Panda Security
2009-03-27 09:49 . 2009-03-31 00:09 183,273,504 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-27 09:49 . 2009-03-31 00:07 2,150,132 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-26 11:54 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\56228582.sys
2009-03-26 08:55 . 2009-03-26 11:43 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-24 21:21 . 2009-03-24 21:21 <DIR> d-------- C:\_OTListIt
2009-03-22 15:30 . 2009-03-30 22:56 <DIR> d-------- c:\documents and settings\Ar@vinth\Tracing
2009-03-22 14:43 . 2009-03-22 14:43 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-22 14:43 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-22 14:42 . 2009-03-22 14:42 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-22 14:40 . 2009-03-22 14:40 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-22 14:40 . 2009-03-22 14:43 <DIR> d-------- c:\program files\Microsoft
2009-03-22 13:21 . 2009-03-22 13:21 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-22 07:33 . 2009-03-22 07:34 <DIR> d-------- C:\Rooter$
2009-03-21 09:43 . 2009-03-21 09:43 <DIR> d--hs---- c:\documents and settings\Ar@vinth\IECompatCache
2009-03-21 09:42 . 2009-03-21 09:42 <DIR> d--hs---- c:\documents and settings\Ar@vinth\PrivacIE
2009-03-21 09:41 . 2009-03-21 09:41 <DIR> d--hs---- c:\documents and settings\Ar@vinth\IETldCache
2009-03-21 09:34 . 2009-03-21 09:34 <DIR> d-------- c:\windows\ie8updates
2009-03-21 09:33 . 2009-03-21 09:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-21 09:31 . 2009-03-21 09:33 <DIR> d--h-c--- c:\windows\ie8
2009-03-21 09:29 . 2009-02-28 07:55 105,984 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-03-21 00:02 . 2009-03-21 00:02 <DIR> d-------- c:\windows\Google Earth Pro 4.2
2009-03-20 17:05 . 2009-03-20 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2009-03-18 18:19 . 2009-03-18 18:19 244 --ah----- C:\sqmnoopt03.sqm
2009-03-18 18:19 . 2009-03-18 18:19 232 --ah----- C:\sqmdata03.sqm
2009-03-10 08:14 . 2009-03-28 18:06 <DIR> d-------- C:\Splinter Cell
2009-03-09 15:55 . 2008-04-14 00:16 37,888 --a------ c:\windows\system32\drivers\bthmodem.sys
2009-03-09 15:55 . 2008-04-14 00:16 37,888 --a--c--- c:\windows\system32\dllcache\bthmodem.sys
2009-03-09 00:56 . 2009-03-15 14:11 <DIR> d-------- c:\windows\system32\Adobe
2009-03-08 20:22 . 2009-03-08 20:22 <DIR> d-------- c:\documents and settings\Ar@vinth\Application Data\PowerChallenge
2009-03-08 20:17 . 2009-03-08 20:17 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-08 14:22 . 2009-03-08 14:22 1,241,088 --------- c:\windows\system32\ieframe.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui
2009-02-20 16:06 . 2009-03-19 21:47 <DIR> d-------- C:\Downloads
2009-02-16 17:21 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-12 22:20 . 2009-02-12 22:20 5,630 --------- c:\windows\system32\IE8Eula.rtf
2009-02-06 19:03 . 2009-02-06 19:03 307,576 --a------ c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49,504 --a------ c:\windows\system32\sirenacm.dll
2009-02-01 22:25 . 2009-03-29 15:03 <DIR> d-------- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 14:49 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\uTorrent
2009-03-29 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-29 08:22 --------- d-----w c:\program files\Common Files\Real
2009-03-29 08:21 --------- d-----w c:\program files\Google
2009-03-28 13:14 --------- d-----w c:\program files\Nokia
2009-03-28 13:10 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 13:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 13:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 11:43 --------- d-----w c:\program files\Windows Live
2009-03-22 04:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 04:27 --------- d-----w c:\program files\AGEIA Technologies
2009-03-21 06:33 --------- d-----w c:\program files\Yahoo!
2009-03-21 06:33 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\yahoo!
2009-03-21 06:33 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-08 17:29 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\Skype
2009-03-08 17:17 --------- d-----w c:\program files\Java
2009-03-08 15:46 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\skypePM
2009-03-07 11:13 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\Apple Computer
2009-03-07 06:16 --------- d-----w c:\documents and settings\Ar@vinth\Application Data\dvdcss
2009-02-24 22:14 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-10 16:50 --------- d-----w c:\program files\CPA Test Prep
2009-02-09 18:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-07-16 11:52 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071620080717\index.dat
2008-07-16 11:52 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_23.10.48.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
- 2008-11-15 10:10:07 1,257,472 -c--a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-03-29 11:58:08 1,265,664 ----a-w c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-11-15 10:10:09 1,224,704 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-03-29 11:58:09 1,232,896 ----a-w c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2009-03-29 11:58:47 118,784 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_26e50715\CustomMarshalers.dll
+ 2009-03-29 11:58:22 61,440 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_cbb7496a\CustomMarshalers.dll
+ 2009-03-29 11:58:40 3,391,488 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_2caee6a2\mscorlib.dll
+ 2009-03-29 11:59:01 8,908,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_f6b41b84\mscorlib.dll
+ 2009-03-29 11:58:57 3,395,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_32cd49ef\System.Design.dll
+ 2009-03-29 11:58:36 1,470,464 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_4f6466d1\System.Design.dll
+ 2009-03-29 11:58:50 192,512 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_46eac755\System.Drawing.Design.dll
+ 2009-03-29 11:58:23 90,112 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_febea530\System.Drawing.Design.dll
+ 2009-03-29 11:58:58 2,244,608 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_aa692761\System.Drawing.dll
+ 2009-03-29 11:58:38 835,584 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_c3bba77f\System.Drawing.dll
+ 2009-03-29 11:58:53 7,884,800 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_44e066c7\System.Windows.Forms.dll
+ 2009-03-29 11:58:27 3,018,752 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_747442bc\System.Windows.Forms.dll
+ 2009-03-29 11:58:32 2,088,960 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_33ee0bf0\System.Xml.dll
+ 2009-03-29 11:58:56 5,513,216 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b64ae5c3\System.Xml.dll
+ 2009-03-29 11:58:19 1,966,080 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_a781e3d6\System.dll
+ 2009-03-29 11:58:46 4,788,224 ----a-w c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_b06042ef\System.dll
- 2008-04-23 16:17:20 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-26 19:10:26 317,440 ----a-w c:\windows\inf\unregmp2.exe
+ 2006-10-27 12:16:36 46,864 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLRPC.DLL
- 2009-03-28 19:51:48 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-29 11:59:40 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2009-03-28 19:51:48 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-29 11:59:40 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-03-28 19:51:48 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-29 11:59:40 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-03-28 19:51:48 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-29 11:59:40 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-03-28 19:51:48 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-29 11:59:40 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-03-28 19:51:49 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-29 11:59:40 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-03-28 19:51:49 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-29 11:59:40 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-03-28 19:51:48 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-29 11:59:40 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-03-28 19:51:48 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-29 11:59:40 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-03-28 19:51:48 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-29 11:59:40 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-03-28 19:51:49 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-29 11:59:40 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-03-28 19:51:48 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-29 11:59:40 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2004-07-14 22:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-13 18:30:52 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-14 22:49:22 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-13 18:30:52 32,768 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-14 21:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-13 17:57:52 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-20 16:09:14 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-13 17:57:58 86,016 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-14 21:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-13 17:56:30 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-14 21:33:04 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-13 17:58:00 102,400 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 11:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-13 17:50:46 2,142,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-20 16:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-13 17:58:02 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-14 21:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-13 17:57:00 2,523,136 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-14 21:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-13 17:57:28 2,514,944 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-10 13:20:00 106,496 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 13:11:26 73,728 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-14 22:49:16 258,048 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_aspnet_isapi.dll
+ 2004-07-14 21:32:22 81,920 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_CORPerfMonExt.dll
+ 2004-07-14 21:24:30 282,624 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_fusion.dll
+ 2004-07-14 21:25:06 315,392 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_mscorjit.dll
+ 2004-07-15 11:29:02 2,138,112 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_mscorlib.dll
+ 2003-02-20 16:09:18 77,824 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_mscorsn.dll
+ 2004-07-14 21:26:52 2,510,848 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_mscorsvr.dll
+ 2004-07-14 21:28:34 2,502,656 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_mscorwks.dll
+ 2003-02-21 01:42:22 348,160 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_msvcr71.dll
+ 2004-07-14 21:34:50 94,208 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\SHADOW2696\_PerfCounter.dll
- 2004-07-15 11:31:16 1,224,704 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-13 18:35:38 1,232,896 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-07-15 11:29:00 1,257,472 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-13 18:35:46 1,265,664 ----a-w c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2008-04-23 16:17:16 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-17 22:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-04-14 02:42:06 144,384 -c--a-w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 06:54:55 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
- 2008-04-23 16:17:20 315,904 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-26 19:10:26 317,440 -c--a-w c:\windows\system32\dllcache\unregmp2.exe
- 2008-04-23 16:17:23 937,984 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-18 02:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2007-06-11 20:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 15:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-04-23 16:17:47 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 02:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-04-23 16:17:16 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-17 22:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2005-09-23 04:28:52 270,848 ----a-w c:\windows\system32\mscoree.dll
+ 2006-12-22 09:28:14 271,360 ----a-w c:\windows\system32\mscoree.dll
- 2005-09-23 04:29:00 6,144 -c--a-w c:\windows\system32\mui\0409\mscorees.dll
+ 2006-12-22 10:02:36 6,144 ----a-w c:\windows\system32\mui\0409\mscorees.dll
- 2008-07-16 09:35:41 278,528 ----a-w c:\windows\system32\pncrt.dll
+ 2009-03-29 08:22:13 278,528 ----a-w c:\windows\system32\pncrt.dll
- 2008-07-16 09:35:42 6,656 ----a-w c:\windows\system32\pndx5016.dll
+ 2009-03-29 08:22:16 6,656 ----a-w c:\windows\system32\pndx5016.dll
- 2008-07-16 09:35:42 5,632 ----a-w c:\windows\system32\pndx5032.dll
+ 2009-03-29 08:22:16 5,632 ----a-w c:\windows\system32\pndx5032.dll
- 2008-07-16 09:35:44 185,944 ----a-w c:\windows\system32\rmoc3260.dll
+ 2009-03-29 08:22:27 185,920 ----a-w c:\windows\system32\rmoc3260.dll
- 2008-04-14 02:42:06 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-11 12:42:28 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-04-23 16:17:23 937,984 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-18 02:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2007-06-11 20:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 15:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
- 2008-04-23 16:17:47 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 02:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2009-03-30 21:08:07 16,384 ----atw c:\windows\temp\Perflib_Perfdata_740.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 18:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 07:54 133104 c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-01-29 17:47 16859648 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Tally License Server"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"SeaPort"=2 (0x2)
"YahooAUService"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Ar@vinth\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Chaos Group\\V-Ray\\3dsmax R9 for x86\\vrlserver.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-28 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-03-13 33800]
R1 is-EF1JAdrv;is-EF1JAdrv;c:\windows\system32\drivers\56228582.sys [2009-03-26 148496]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-03-22 55152]
R3 iadusb;Conexant USB IAD LAN Modem;c:\windows\system32\drivers\glauiad.sys [2008-12-07 30336]
S2 EsetNod32Fix;Nod32 AV;c:\windows\regedit.exe [2008-04-14 146432]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S4 Tally License Server;Tally License Server (NT);c:\tally\tallylicserver.exe -s --> c:\tally\tallylicserver.exe -s [?]
S4 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94407039-f861-11dd-968c-000138825422}]
\Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-30 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 07:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ar@vinth\Application Data\Mozilla\Firefox\Profiles\zeoourzw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Ar@vinth\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 00:09:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1844237615-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,81,b0,c1,04,9e,94,a1,8f,20,ea,37,96,d6,42,94,70,f7,91,13,be,f8,b4,
8c,71,80,71,71,aa,a1,48,b4,92,2c,1b,60,d6,ac,d7,1d,ef,18,cc,9c,17,fd,c8,e6,\
"??"=hex:0a,ad,90,f0,65,3c,48,de,9a,dd,e5,c4,ed,13,f0,dd

[HKEY_USERS\S-1-5-21-436374069-1844237615-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:db,56,93,01,27,59,7e,b9,1b,73,33,5b,d9,5b,02,d3,be,57,ff,1c,5f,
6a,f4,b4,1a,08,34,a9,42,01,5c,9e,cc,91,04,b2,65,4a,06,f2,1a,39,f3,60,c4,40,\
"rkeysecu"=hex:64,3d,37,65,79,98,97,34,7f,6d,a2,b8,45,60,3c,d4
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-03-31 0:12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 21:12:02
ComboFix2.txt 2009-03-28 20:11:33
ComboFix3.txt 2008-11-08 19:12:33

Pre-Run: 1,545,953,280 bytes free
Post-Run: 1,592,651,776 bytes free

428 --- E O F --- 2009-03-30 19:48:07

[handhfan]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 13.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

Please do an online scan with Kaspersky WebScanner

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

[Aravinth]

Hi handhfan


I have updated the Java component as instructed. Thing is, the Kaspersky Online Scanner timed out twice. Could you tell me how to bypass this problem? I have a net connection 24/7 so i donot understand how the connection could time out? :S Thanks man!

[handhfan]

Sometimes Kaspersky's Online scanner gives users trouble. Let's try this instead:

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

[Aravinth]

Hi handhfan

I had done as instructed but like last time, the Virus Removal Tool got stuck at a .zip file which is a game rip. So i deleted the file and ran the virus removal tool again. Same result. It always gets stuck at 95% Thank you for your patience.. I am gettin upset about the pc now Any advice ? Thanks again..

[handhfan]

Did it find any infected files leading up to that 95%?

[Aravinth]

Yes it did. 6 of them. But since the Kaspersky app had stopped responding, i could not neutralise any of the 6.

[Aravinth]

Hi handhfan


Pls advice if there are any means to get rid of these viruses/malware from my pc. I have run the scan again and it got stuck at 93%. I ended up deleting the .zip file. It was of another game that I had downloaded. Thanks again.

[handhfan]

Let's try this one. If it stalls similarly, just make note of the file names of where they are located, I'll see if I can get rid of them if they aren't gone.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

[Aravinth]

Hi handhfan


This Drwebcureit is amazing .. It ran smoothly and detected lots of trojans etc. I have saved the report and this opens with excel. I have not closed the drwebcureit window as yet.


I have attached the file below. Thanks.

ctcr.exe;C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\H-1-9-18\R-1-7-19;Program.PrcView.3725;;

hasc.exe;C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\H-1-9-18\R-1-7-19;Tool.Dasniff;;

printer.pif;C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\H-1-9-18\R-1-7-19;BackDoor.IRC.based;;

ritu.exe;C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\H-1-9-18\R-1-7-19;Tool.PassView;;

ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Ar@vinth\Desktop\Fix\ComboFix.exe/data002;Probably BATCH.Virus;;

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Ar@vinth\Desktop\Fix\ComboFix.exe/data002;Program.PsExec.171;;

data002;C:\Documents and Settings\Ar@vinth\Desktop\Fix;Archive contains infected objects;;

ComboFix.exe;C:\Documents and Settings\Ar@vinth\Desktop\Fix;Container contains infected objects;Moved.;

autoupdate.exe;C:\Program Files\CPA Test Prep;Probably DLOADER.Trojan;;

A0034050.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181\A0034050.exe/data002;Probably BATCH.Virus;;

A0034050.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181\A0034050.exe/data002;Program.PsExec.171;;

data002;C:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Archive contains infected objects;;

A0034050.exe;C:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Container contains infected objects;Moved.;

tally72migration.exe;C:\Tally;Probably DLOADER.Trojan;;

ctcr.exe;C:\WINDOWS\inf;Program.PrcView.3725;;

hasc.exe;C:\WINDOWS\inf;Tool.Dasniff;;

printer.exe;C:\WINDOWS\inf;BackDoor.IRC.based;;

ritu.exe;C:\WINDOWS\inf;Tool.PassView;;

ctcr.exe;C:\WINDOWS\system32\dllcache;Program.PrcView.3725;;

hasc.exe;C:\WINDOWS\system32\dllcache;Tool.Dasniff;;

ntprint.exe;C:\WINDOWS\system32\dllcache;BackDoor.IRC.based;;

ritu.exe;C:\WINDOWS\system32\dllcache;Tool.PassView;;

gunral.exe/data002\data004;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;Program.PrcView.3725;;

gunral.exe/data002\data005;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;IRC.Flood;;

gunral.exe/data002\data006;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;Tool.Dasniff;;

gunral.exe/data002\data010;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;BackDoor.IRC.based;;

gunral.exe/data002\data012;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;Tool.PassView;;

gunral.exe/data002\data013;C:\_OTListIt\MovedFiles\03242009_212154\gunral.exe/data002;IRC.Flood;;

data002;C:\_OTListIt\MovedFiles\03242009_212154;Archive contains infected objects;;

gunral.exe;C:\_OTListIt\MovedFiles\03242009_212154;Container contains infected objects;Moved.;

funny_display_pack.exe/data001/setup.zip\164;E:\3\Softwares\Unnecessary\funny_display_pack.exe/data001/setup.zip;Adware.SearchTwo.38;;

setup.zip;E:\3\Softwares\Unnecessary;Archive contains infected objects;;

data001;E:\3\Softwares\Unnecessary;Container contains infected objects;;

funny_display_pack.exe;E:\3\Softwares\Unnecessary;Container contains infected objects;Moved.;

ComboFix.exe/data002\32788R22FWJFW\c.bat;E:\3\Softwares\Fix\ComboFix.exe/data002;Probably BATCH.Virus;;

ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;E:\3\Softwares\Fix\ComboFix.exe/data002;Program.PsExec.171;;

data002;E:\3\Softwares\Fix;Archive contains infected objects;;

ComboFix.exe;E:\3\Softwares\Fix;Container contains infected objects;Moved.;

A0034060.exe/data001/setup.zip\164;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181\A0034060.exe/data001/setup.zip;Adware.SearchTwo.38;;

setup.zip;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Archive contains infected objects;;

data001;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Container contains infected objects;;

A0034060.exe;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Container contains infected objects;Moved.;

A0034061.exe/data002\32788R22FWJFW\c.bat;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181\A0034061.exe/data002;Probably BATCH.Virus;;

A0034061.exe/data002\32788R22FWJFW\psexec.cfexe;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181\A0034061.exe/data002;Program.PsExec.171;;

data002;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Archive contains infected objects;;

A0034061.exe;E:\System Volume Information\_restore{13FEC4E7-F064-483D-8DD0-00813CB5A1A7}\RP181;Container contains infected objects;Moved.;

[handhfan]

Please post a new OTListIt2 log.

Is your computer running better now?

[Aravinth]

Hi handhfan,

I have posted the OTList.txt below


OTListIt logfile created on: 17/04/2009 20:29:05 - Run 7
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Ar@vinth\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.75% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3067 3090;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 129.84 Gb Total Space | 9.20 Gb Free Space | 7.08% Space Free | Partition Type: NTFS
Drive D: | 435.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 66.18 Gb Total Space | 6.43 Gb Free Space | 9.71% Space Free | Partition Type: FAT32
Drive F: | 36.85 Gb Total Space | 0.23 Gb Free Space | 0.62% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-A3279C58D5
Current User Name: Ar@vinth
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\WgaTray.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (Nokia.)
PRC - C:\Documents and Settings\Ar@vinth\Desktop\OTListIt2.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (6to4 [Auto | Running]) -- C:\WINDOWS\System32\6to4svc.dll (Microsoft Corporation)
SRV - (Apple Mobile Device [Disabled | Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Autodesk Licensing Service [Auto | Stopped]) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (Bonjour Service [Disabled | Stopped]) -- File not found
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (fsssvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [Disabled | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Stopped]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (mi-raysat_3dsmax9_32 [Disabled | Stopped]) -- C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe ()
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 3 [Disabled | Stopped]) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NMIndexingService [Disabled | Stopped]) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (Nero AG)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Running]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Stopped]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (RichVideo [Auto | Stopped]) -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe ()
SRV - (SeaPort [Disabled | Stopped]) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
SRV - (ServiceLayer [On_Demand | Running]) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (Nokia.)
SRV - (Tally License Server [Disabled | Stopped]) -- C:\Tally\tallylicserver.exe ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (YahooAUService [Disabled | Stopped]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

========== Driver Services (SafeList) ==========

DRV - (Aspi32 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)
DRV - (atksgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\atksgt.sys ()
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\eamon.sys (ESET)
DRV - (easdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\easdrv.sys (ESET)
DRV - (epfwtdir [System | Running]) -- C:\WINDOWS\system32\DRIVERS\epfwtdir.sys ()
DRV - (fssfltr [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys (Conexant Systems, Inc.)
DRV - (iadusb [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\glauiad.sys (Conexant Systems Inc.)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (is-EF1JAdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\56228582.sys (Kaspersky Lab)
DRV - (lirsgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\lirsgt.sys ()
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (Nokia USB Generic [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdc.sys (Nokia)
DRV - (Nokia USB Modem [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdcm.sys (Nokia)
DRV - (Nokia USB Phone Parent [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcd.sys (Nokia)
DRV - (Nokia USB Port [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdcj.sys (Nokia)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (pavboot [Boot | Running]) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (PQNTDrv [System | Running]) -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS ()
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RTLE8023xp [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (sfsync02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (Tcpip6 [System | Running]) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys (Microsoft Corporation)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 12 E6 99 34 72 B0 C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Live Search"
FF - prefs.js..browser.search.defaulturl: "http://search.live.c...?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Live Search"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8
FF - prefs.js..keyword.URL: "http://search.live.c...?FORM=IEFM1&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2009/03/29 11:22:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/02 18:10:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/03/29 16:58:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/03/29 16:58:50 | 00,000,000 | ---D | M]

[2008/08/30 20:28:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ar@vinth\Application Data\mozilla\Extensions
[2008/08/30 20:28:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ar@vinth\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/23 16:06:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ar@vinth\Application Data\mozilla\Firefox\Profiles\zeoourzw.default\extensions
[2008/08/30 20:28:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ar@vinth\Application Data\mozilla\Firefox\Profiles\zeoourzw.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/03/22 18:57:13 | 00,001,632 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Application Data\Mozilla\FireFox\Profiles\zeoourzw.default\searchplugins\live-search.xml
[2009/04/02 18:10:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/08/30 20:28:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/03/29 16:58:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/02 18:10:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/03/29 16:58:43 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/03/29 16:58:43 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/09/25 04:21:16 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/09/25 04:21:16 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/09/25 04:21:16 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/16 17:28:25 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/09/25 04:21:16 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/09/25 04:21:16 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/09/25 04:21:16 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation)
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" ()
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [RGSC] F:\Program Files\Rockstar Games\Grand Theft Auto IV\Rockstar Games Social Club\RGSCLauncher.exe /silent (Take-Two Interactive Software, Inc.)
O4 - HKCU..\Run: [Windows] "C:\Windows\System32\windows.exe" ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] - C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1234793980562 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1234793720625 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - C:\autorun.inf [2008/10/18 13:47:30 | 00,000,000 | ---D | M] - [ NTFS ]
O32 - Autorun File - F:\autorun.inf [2008/10/18 13:47:30 | 00,000,000 | ---D | M] - [ NTFS ]
O33 - MountPoints2\{94407039-f861-11dd-968c-000138825422}\Shell\AutoRun\command - "" = SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{94407039-f861-11dd-968c-000138825422}\Shell\open\command - "" = SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[12 C:\WINDOWS\*.tmp files]
[2009/04/17 20:04:48 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ar@vinth\Desktop\OTListIt2.exe
[2009/04/17 20:02:44 | 00,002,575 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\My Documents\DrWeb.csv
[2009/04/17 05:36:32 | 73,673,2681 | ---- | C] () -- C:\Silambattam.CD1_Desman.mkv
[2009/04/17 04:36:54 | 00,028,358 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\Silambattam.CD1_Desman.mkv.torrent
[2009/04/16 11:51:39 | 00,000,000 | ---D | C] -- C:\Splinter Cell
[2009/04/16 11:48:30 | 00,004,854 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\DrWeb.csv
[2009/04/16 00:06:18 | 13,627,360 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Ar@vinth\Desktop\drweb-cureit.exe
[2009/04/15 15:11:44 | 00,000,693 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\Crysis Natural Mod.lnk
[2009/04/13 00:58:54 | 11,477,109 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\My Documents\Nenje Nenje - Harish Ragavendra, Mahathi.mp3
[2009/04/12 21:52:24 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\windows.exe
[2009/04/12 19:44:22 | 00,085,504 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\visa.doc
[2009/04/12 01:45:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\My Documents\Rockstar Games
[2009/04/12 00:52:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\Local Settings\Application Data\Rockstar Games
[2009/04/12 00:41:59 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2009/04/11 20:15:49 | 04,780,224 | -H-- | C] () -- C:\Documents and Settings\Ar@vinth\Local Settings\Application Data\IconCache.db
[2009/04/11 17:46:44 | 00,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2009/04/11 17:46:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\Application Data\SystemRequirementsLab
[2009/04/10 19:10:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\NV32883740.TMP
[2009/04/08 19:56:35 | 00,604,703 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\ISATSampleQuestionsBooklet2009.pdf
[2009/04/06 10:47:17 | 37,348,816 | ---- | C] ( ) -- C:\Documents and Settings\Ar@vinth\Desktop\setup_7.0.0.290_06.04.2009_10-13.exe
[2009/04/03 22:07:06 | 00,000,823 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Crysis.lnk
[2009/04/03 17:25:22 | 01,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2009/04/03 17:25:22 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2009/04/03 17:25:21 | 04,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2009/04/03 17:25:19 | 00,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2009/04/03 17:25:19 | 00,069,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2009/04/03 17:25:18 | 00,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2009/04/03 17:25:17 | 00,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2009/04/02 00:00:35 | 00,089,073 | ---- | C] () -- C:\Documents and Settings\Ar@vinth\Desktop\uni of glasgow.pdf
[2009/03/31 19:43:04 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/03/31 19:22:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/03/31 19:01:35 | 00,000,264 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/03/31 19:01:35 | 00,000,264 | ---- | C] () -- C:\WINDOWS\tasks\OGADaily.job
[2009/03/31 00:17:23 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/31 00:06:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/31 00:02:47 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/03/30 10:03:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\Application Data\vlc
[2009/03/30 09:55:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\Desktop\Fix
[2009/03/29 12:25:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\My Documents\Downloads
[2009/03/29 11:22:37 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2009/03/28 22:59:45 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/28 22:59:45 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/28 22:59:45 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/28 22:59:45 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/28 22:59:45 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/28 22:59:45 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/28 22:59:45 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/28 22:59:45 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/28 22:59:45 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/03/28 22:59:09 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/28 17:27:41 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/03/28 17:20:28 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/03/27 09:49:08 | 45,762,5632 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/03/27 09:49:08 | 04,725,452 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/03/26 11:54:11 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\56228582.sys
[2009/03/26 08:55:12 | 00,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/24 21:21:54 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/03/22 14:43:36 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Office Outlook Connector
[2009/03/22 14:43:21 | 00,055,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\fssfltr_tdi.sys
[2009/03/22 14:42:56 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
[2009/03/22 14:42:12 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/03/22 14:40:26 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/03/22 14:40:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/03/22 14:40:07 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/03/22 13:21:50 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/03/22 07:33:13 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/21 09:34:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/03/21 09:33:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/03/21 09:29:36 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/03/21 00:02:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\Google Earth Pro 4.2
[2009/03/20 17:05:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ar@vinth\Local Settings\Application Data\Ubisoft
[2009/03/20 17:05:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ubisoft

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[12 C:\WINDOWS\*.tmp files]
[2009/04/17 20:30:39 | 45,763,1776 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/04/17 20:05:58 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/17 20:02:44 | 00,002,575 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\My Documents\DrWeb.csv
[2009/04/17 19:01:15 | 00,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGADaily.job
[2009/04/17 14:23:53 | 00,001,208 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
[2009/04/17 13:49:02 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/17 13:30:06 | 73,673,2681 | ---- | M] () -- C:\Silambattam.CD1_Desman.mkv
[2009/04/17 04:36:54 | 00,028,358 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\Silambattam.CD1_Desman.mkv.torrent
[2009/04/17 00:02:11 | 00,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/16 11:48:30 | 00,004,854 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\DrWeb.csv
[2009/04/16 00:15:03 | 13,627,360 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Ar@vinth\Desktop\drweb-cureit.exe
[2009/04/15 23:25:10 | 00,209,504 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/04/15 23:25:04 | 00,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/04/15 23:24:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/15 23:24:14 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/15 17:14:08 | 04,725,452 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/04/15 16:39:01 | 00,244,224 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/15 15:11:44 | 00,000,693 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\Crysis Natural Mod.lnk
[2009/04/15 12:40:40 | 00,000,944 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/15 12:40:40 | 00,000,306 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/15 12:40:40 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/13 18:38:49 | 00,085,504 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\visa.doc
[2009/04/13 01:14:36 | 11,477,109 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\My Documents\Nenje Nenje - Harish Ragavendra, Mahathi.mp3
[2009/04/12 21:27:07 | 00,679,936 | ---- | M] () -- C:\WINDOWS\System32\windows.exe
[2009/04/11 20:15:49 | 04,780,224 | -H-- | M] () -- C:\Documents and Settings\Ar@vinth\Local Settings\Application Data\IconCache.db
[2009/04/11 15:28:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/08 19:56:35 | 00,604,703 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\ISATSampleQuestionsBooklet2009.pdf
[2009/04/06 11:28:01 | 37,348,816 | ---- | M] ( ) -- C:\Documents and Settings\Ar@vinth\Desktop\setup_7.0.0.290_06.04.2009_10-13.exe
[2009/04/03 22:07:06 | 00,000,823 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Crysis.lnk
[2009/04/02 00:00:35 | 00,089,073 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\uni of glasgow.pdf
[2009/03/31 19:48:25 | 00,000,079 | -HS- | M] () -- C:\Documents and Settings\Ar@vinth\My Documents\desktop.ini
[2009/03/31 19:45:39 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/31 00:08:59 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.msn
[2009/03/31 00:08:59 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/29 11:22:13 | 00,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/03/28 23:04:32 | 01,690,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/28 20:59:18 | 00,949,248 | -HS- | M] () -- C:\Documents and Settings\Ar@vinth\Desktop\Thumbs.db
[2009/03/27 10:03:00 | 01,724,416 | ---- | M] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 10:03:00 | 01,657,376 | ---- | M] () -- C:\WINDOWS\System32\nwiz.exe
[2009/03/27 10:03:00 | 01,503,232 | ---- | M] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 10:03:00 | 01,346,080 | ---- | M] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/03/27 10:03:00 | 01,101,824 | ---- | M] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 10:03:00 | 00,466,944 | ---- | M] () -- C:\WINDOWS\System32\nvshell.dll
[2009/03/27 10:03:00 | 00,449,056 | ---- | M] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/03/27 10:03:00 | 00,436,768 | ---- | M] () -- C:\WINDOWS\System32\keystone.exe
[2009/03/27 10:03:00 | 00,215,465 | ---- | M] () -- C:\WINDOWS\System32\nvapps.nvb
[2009/03/27 10:03:00 | 00,073,728 | ---- | M] () -- C:\WINDOWS\System32\nvtuicpl.cpl
[2009/03/27 10:03:00 | 00,019,054 | ---- | M] () -- C:\WINDOWS\System32\nvdisp.nvu
[2009/03/26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/24 21:32:07 | 00,520,190 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/24 21:32:07 | 00,439,926 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/24 21:32:07 | 00,071,520 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/22 14:41:28 | 00,000,912 | ---- | M] () -- C:\Documents and Settings\Ar@vinth\My Documents\My Sharing Folders.lnk
[2009/03/22 07:30:50 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ar@vinth\Desktop\OTListIt2.exe
< End of report >