[ali.B]

hi

Delete your current copy of combofix

Step 1


Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in the root directory (usually C:\).
• Please post the contents of that log in your next reply.

Step 2

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Step 3

Things i would like to see in your reply:

• TDSSKiller log
• Combofix.txt

[Advertisements]

TDSSKiller log
12:56:52:873 4972 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:56:52:873 4972 ================================================================================
12:56:52:873 4972 SystemInfo:

12:56:52:873 4972 OS Version: 6.0.6001 ServicePack: 1.0
12:56:52:873 4972 Product type: Workstation
12:56:52:873 4972 ComputerName: ERIKTRAN-PC
12:56:52:889 4972 UserName: Erik Tran
12:56:52:889 4972 Windows directory: C:\Windows
12:56:52:889 4972 Processor architecture: Intel x86
12:56:52:889 4972 Number of processors: 2
12:56:52:889 4972 Page size: 0x1000
12:56:52:889 4972 Boot type: Normal boot
12:56:52:889 4972 ================================================================================
12:56:52:889 4972 UnloadDriverW: NtUnloadDriver error 2
12:56:52:889 4972 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:56:52:889 4972 wfopen_ex: Trying to open file C:\Windows\system32\config\system
12:56:52:889 4972 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:56:52:889 4972 wfopen_ex: Trying to KLMD file open
12:56:52:889 4972 wfopen_ex: File opened ok (Flags 2)
12:56:52:920 4972 wfopen_ex: Trying to open file C:\Windows\system32\config\software
12:56:52:920 4972 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:56:52:920 4972 wfopen_ex: Trying to KLMD file open
12:56:52:920 4972 wfopen_ex: File opened ok (Flags 2)
12:56:52:920 4972 Initialize success
12:56:52:920 4972
12:56:52:920 4972 Scanning Services ...
12:56:54:199 4972 Raw services enum returned 434 services
12:56:54:215 4972
12:56:54:215 4972 Scanning Kernel memory ...
12:56:54:215 4972 Devices to scan: 1
12:56:54:215 4972
12:56:54:215 4972 Driver Name: atapi
12:56:54:215 4972 IRP_MJ_CREATE : 822C6116
12:56:54:215 4972 IRP_MJ_CREATE_NAMED_PIPE : 81C42FEF
12:56:54:215 4972 IRP_MJ_CLOSE : 822C6116
12:56:54:215 4972 IRP_MJ_READ : 81C42FEF
12:56:54:215 4972 IRP_MJ_WRITE : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_EA : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_EA : 81C42FEF
12:56:54:215 4972 IRP_MJ_FLUSH_BUFFERS : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_VOLUME_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_VOLUME_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_DIRECTORY_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_FILE_SYSTEM_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_DEVICE_CONTROL : 822B4A22
12:56:54:215 4972 IRP_MJ_INTERNAL_DEVICE_CONTROL : 822B49F4
12:56:54:215 4972 IRP_MJ_SHUTDOWN : 81C42FEF
12:56:54:215 4972 IRP_MJ_LOCK_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_CLEANUP : 81C42FEF
12:56:54:215 4972 IRP_MJ_CREATE_MAILSLOT : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_SECURITY : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_SECURITY : 81C42FEF
12:56:54:215 4972 IRP_MJ_POWER : 822B4A50
12:56:54:215 4972 IRP_MJ_SYSTEM_CONTROL : 822C1B70
12:56:54:215 4972 IRP_MJ_DEVICE_CHANGE : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_QUOTA : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_QUOTA : 81C42FEF
12:56:54:230 4972 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
12:56:54:230 4972
12:56:54:230 4972 Completed
12:56:54:230 4972
12:56:54:230 4972 Results:
12:56:54:230 4972 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972
12:56:54:230 4972 fclose_ex: Trying to close file C:\Windows\system32\config\system
12:56:54:230 4972 fclose_ex: Trying to close file C:\Windows\system32\config\software
12:56:54:230 4972 KLMD(ARK) unloaded successfully

Combofix.txt in progress

[erikc4l]

TDSSKiller log
12:56:52:873 4972 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:56:52:873 4972 ================================================================================
12:56:52:873 4972 SystemInfo:

12:56:52:873 4972 OS Version: 6.0.6001 ServicePack: 1.0
12:56:52:873 4972 Product type: Workstation
12:56:52:873 4972 ComputerName: ERIKTRAN-PC
12:56:52:889 4972 UserName: Erik Tran
12:56:52:889 4972 Windows directory: C:\Windows
12:56:52:889 4972 Processor architecture: Intel x86
12:56:52:889 4972 Number of processors: 2
12:56:52:889 4972 Page size: 0x1000
12:56:52:889 4972 Boot type: Normal boot
12:56:52:889 4972 ================================================================================
12:56:52:889 4972 UnloadDriverW: NtUnloadDriver error 2
12:56:52:889 4972 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:56:52:889 4972 wfopen_ex: Trying to open file C:\Windows\system32\config\system
12:56:52:889 4972 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:56:52:889 4972 wfopen_ex: Trying to KLMD file open
12:56:52:889 4972 wfopen_ex: File opened ok (Flags 2)
12:56:52:920 4972 wfopen_ex: Trying to open file C:\Windows\system32\config\software
12:56:52:920 4972 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:56:52:920 4972 wfopen_ex: Trying to KLMD file open
12:56:52:920 4972 wfopen_ex: File opened ok (Flags 2)
12:56:52:920 4972 Initialize success
12:56:52:920 4972
12:56:52:920 4972 Scanning Services ...
12:56:54:199 4972 Raw services enum returned 434 services
12:56:54:215 4972
12:56:54:215 4972 Scanning Kernel memory ...
12:56:54:215 4972 Devices to scan: 1
12:56:54:215 4972
12:56:54:215 4972 Driver Name: atapi
12:56:54:215 4972 IRP_MJ_CREATE : 822C6116
12:56:54:215 4972 IRP_MJ_CREATE_NAMED_PIPE : 81C42FEF
12:56:54:215 4972 IRP_MJ_CLOSE : 822C6116
12:56:54:215 4972 IRP_MJ_READ : 81C42FEF
12:56:54:215 4972 IRP_MJ_WRITE : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_EA : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_EA : 81C42FEF
12:56:54:215 4972 IRP_MJ_FLUSH_BUFFERS : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_VOLUME_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_VOLUME_INFORMATION : 81C42FEF
12:56:54:215 4972 IRP_MJ_DIRECTORY_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_FILE_SYSTEM_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_DEVICE_CONTROL : 822B4A22
12:56:54:215 4972 IRP_MJ_INTERNAL_DEVICE_CONTROL : 822B49F4
12:56:54:215 4972 IRP_MJ_SHUTDOWN : 81C42FEF
12:56:54:215 4972 IRP_MJ_LOCK_CONTROL : 81C42FEF
12:56:54:215 4972 IRP_MJ_CLEANUP : 81C42FEF
12:56:54:215 4972 IRP_MJ_CREATE_MAILSLOT : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_SECURITY : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_SECURITY : 81C42FEF
12:56:54:215 4972 IRP_MJ_POWER : 822B4A50
12:56:54:215 4972 IRP_MJ_SYSTEM_CONTROL : 822C1B70
12:56:54:215 4972 IRP_MJ_DEVICE_CHANGE : 81C42FEF
12:56:54:215 4972 IRP_MJ_QUERY_QUOTA : 81C42FEF
12:56:54:215 4972 IRP_MJ_SET_QUOTA : 81C42FEF
12:56:54:230 4972 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
12:56:54:230 4972
12:56:54:230 4972 Completed
12:56:54:230 4972
12:56:54:230 4972 Results:
12:56:54:230 4972 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:56:54:230 4972
12:56:54:230 4972 fclose_ex: Trying to close file C:\Windows\system32\config\system
12:56:54:230 4972 fclose_ex: Trying to close file C:\Windows\system32\config\software
12:56:54:230 4972 KLMD(ARK) unloaded successfully

Combofix.txt in progress

[ali.B]

hi

Can you please post the combofix log?

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[erikc4l]

Sorry for the lack of feedback as I went out of town.

What are the instructions I need to follow as of now?

If you still need the ComboFix log before I left. Here it is.

ComboFix 10-03-26.02 - Erik Tran 03/27/2010 13:00:31.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2032 [GMT -7:00]
Running from: c:\users\Erik Tran\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tl584457.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 20:06 . 2010-03-27 20:08 -------- d-----w- c:\users\Erik Tran\AppData\Local\temp
2010-03-27 20:06 . 2010-03-27 20:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-27 20:06 . 2010-03-27 20:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-27 18:56 . 2010-03-27 18:56 -------- d-----w- c:\program files\Speccy
2010-03-27 16:46 . 2010-03-27 16:46 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 05:00 . 2010-03-26 05:00 -------- d-----w- c:\program files\4U Computing
2010-03-25 00:12 . 2010-03-25 00:12 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-24 23:20 . 2010-03-24 23:20 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 23:02 . 2010-03-24 23:02 -------- d-----w- C:\_OTL
2010-03-24 13:10 . 2010-03-24 13:10 -------- d-----w- c:\programdata\InstallShield
2010-03-24 05:36 . 2009-07-03 07:34 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2010-03-24 05:36 . 2009-07-01 17:25 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2010-03-24 05:36 . 2009-04-01 00:43 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2010-03-24 05:36 . 2009-01-29 18:53 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2010-03-22 03:22 . 2010-03-22 03:24 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\ManyCam
2010-03-22 03:22 . 2010-03-22 03:22 -------- d-----w- c:\program files\Ask.com
2010-03-19 21:07 . 2010-03-19 21:07 -------- d-----w- c:\program files\IObit
2010-03-18 02:03 . 2010-03-18 04:18 -------- d-----w- C:\Abyss Web Server
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\TortoiseSVN
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2010-03-17 01:08 . 2010-03-18 04:14 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\nHancer
2010-03-17 01:05 . 2010-03-17 01:08 -------- d-----w- c:\programdata\nHancer
2010-03-15 22:02 . 2010-03-20 17:20 -------- d-----w- C:\Temp
2010-03-15 21:55 . 2010-03-15 21:55 -------- d-----w- c:\program files\THQICE
2010-03-14 18:36 . 2010-03-14 18:36 -------- d-----w- c:\users\Erik Tran\AppData\Local\WLDM
2010-03-14 04:25 . 2010-03-14 04:25 680 ----a-w- c:\users\Erik Tran\AppData\Local\d3d9caps.dat
2010-03-13 19:17 . 2009-11-11 07:08 180224 ----a-w- c:\windows\system32\QTCF.dll
2010-03-12 22:48 . 2010-03-24 03:34 -------- d-----w- c:\program files\Common Files\Steam
2010-03-12 22:48 . 2010-03-24 03:34 -------- d-----w- c:\program files\Steam
2010-03-09 23:05 . 2010-03-09 23:05 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-03-09 22:49 . 2010-03-09 22:49 -------- d-----w- c:\program files\dumps
2010-03-07 16:30 . 2010-03-24 03:34 -------- d-----w- c:\program files\ImageConverter Plus
2010-03-07 16:26 . 2010-03-07 16:28 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\VSO
2010-03-07 16:26 . 2010-03-07 16:26 -------- d-----w- c:\users\Erik Tran\AppData\Local\VSO
2010-03-07 01:34 . 2010-03-07 01:35 -------- d-----w- C:\.ritzwebv1_file_store_32
2010-03-07 01:28 . 2010-03-07 01:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-05 02:46 . 2010-03-19 01:06 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\MySQL
2010-03-05 02:46 . 2010-03-24 03:28 -------- d-----w- c:\users\Erik Tran\AppData\Local\TSVNCache
2010-03-05 02:43 . 2010-03-05 02:43 -------- d-----w- c:\program files\Sun
2010-03-05 02:41 . 2010-03-05 02:41 -------- d-----w- c:\program files\MySQL
2010-03-05 02:40 . 2010-03-19 05:16 -------- d-----w- C:\wamp
2010-03-05 02:35 . 2010-03-05 02:35 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\TortoiseSVN
2010-03-05 02:33 . 2010-03-05 02:33 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Subversion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 20:08 . 2009-12-13 16:11 53307 ----a-w- c:\programdata\nvModes.dat
2010-03-27 19:56 . 2009-12-13 16:46 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Skype
2010-03-27 19:55 . 2008-10-25 22:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 18:55 . 2009-12-15 01:37 -------- d-----w- c:\program files\CCleaner
2010-03-27 16:45 . 2009-12-13 16:48 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\skypePM
2010-03-25 00:13 . 2009-12-13 16:55 -------- d-----w- c:\program files\AIM
2010-03-24 23:20 . 2009-12-13 18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 13:03 . 2008-10-25 22:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-24 03:50 . 2009-12-13 16:06 75264 ----a-w- c:\users\Erik Tran\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-14 18:36 . 2009-12-13 17:27 -------- d-----w- c:\program files\Windows Live
2010-03-13 03:13 . 2009-12-13 18:06 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Apple Computer
2010-03-13 03:09 . 2009-12-13 18:02 -------- d-----w- c:\programdata\Apple
2010-03-07 01:31 . 2008-10-26 00:13 -------- d-----w- c:\program files\Java
2010-03-07 01:25 . 2010-02-20 18:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 03:53 . 2010-01-20 05:09 -------- d-----w- c:\program files\TeamViewer
2010-02-25 04:47 . 2010-02-25 04:47 1585608 ----a-w- c:\programdata\Skype\Plugins\Plugins\F35E193DC3E84933B83DE961D9AC33BF\SketchPad.exe
2010-02-24 03:16 . 2010-02-24 03:03 41 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences.dat
2010-02-24 03:08 . 2010-02-24 03:05 69 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences2.dat
2010-02-23 03:26 . 2010-02-23 03:26 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-22 23:08 . 2010-02-22 23:05 -------- d-----w- c:\programdata\NexonUS
2010-02-22 23:05 . 2010-02-22 23:05 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-02-22 23:05 . 2010-02-22 23:05 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-02-22 23:05 . 2010-02-22 23:05 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-02-22 23:05 . 2010-02-22 23:05 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-02-22 23:05 . 2010-02-22 23:05 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-02-22 23:05 . 2010-02-22 23:05 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-02-14 18:43 . 2010-02-14 03:41 -------- d-----w- c:\program files\Google
2010-02-04 00:52 . 2010-02-04 00:52 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Nexon
2010-02-02 05:54 . 2010-01-07 03:08 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Lexmark Productivity Studio
2010-02-01 22:30 . 2010-02-01 22:30 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Mael
2010-01-30 02:15 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-30 02:15 . 2008-10-25 22:35 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-30 02:06 . 2010-01-30 02:06 -------- d-----w- c:\programdata\App4rTemp
2010-01-23 21:14 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-22 17:24 . 2010-01-22 17:24 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2010-01-07 23:07 . 2009-12-13 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-12-13 18:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-10-25 23:12 . 2008-10-25 22:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 126976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]
"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-07-24 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-06 3478288]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2008-10-08 3328]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2008-07-24 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-12 66664]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.allkpop.com/category/music
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 13:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-03-27 13:12:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 20:12
ComboFix2.txt 2010-01-24 00:38

Pre-Run: 172,066,848,768 bytes free
Post-Run: 171,311,927,296 bytes free

- - End Of File - - 93C5F503AABCE772E4B1C54CD0AFB735

Edited by erikc4l, 08 April 2010 - 10:59 PM.

[ali.B]

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[erikc4l]

Thanks for replying back. Here are the log results.

OTL logfile created on: 4/9/2010 3:33:52 PM - Run 6
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Erik Tran\Desktop\GeekstoGo
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 155.48 Gb Free Space | 70.03% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.76 Gb Free Space | 16.15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ERIKTRAN-PC
Current User Name: Erik Tran
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 20:19:28 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
PRC - [2010/03/08 14:04:49 | 003,972,440 | ---- | M] (AOL Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2009/11/12 17:33:04 | 010,358,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/09/30 20:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/02/06 19:21:00 | 000,583,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\wlcsdk.exe
PRC - [2008/12/22 14:59:20 | 000,787,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe
PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/08/05 11:19:41 | 000,455,336 | ---- | M] () -- C:\Program Files\Lexmark X5400 Series\lxdvmon.exe
PRC - [2008/08/05 11:19:40 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark X5400 Series\lxdvamon.exe
PRC - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) -- C:\Windows\System32\lxdvcoms.exe
PRC - [2008/01/20 19:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
MOD - [2008/01/20 19:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
SRV - [2010/01/06 09:13:00 | 003,478,288 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxdvcoms.exe -- (lxdv_device)
SRV - [2008/07/24 06:33:43 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe -- (lxdvCATSCustConnectService)
SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.allkpop.c...category/music"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 20:19:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 20:19:31 | 000,000,000 | ---D | M]

[2009/12/13 09:41:06 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Extensions
[2010/04/09 14:45:16 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions
[2010/01/16 14:54:42 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/01/16 12:09:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}
[2010/01/12 17:59:02 | 000,000,000 | ---D | M] (AOL Radio Toolbar) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}(97)
[2010/02/03 17:45:23 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/08 16:58:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/13 12:23:24 | 000,002,283 | ---- | M] () -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\searchplugins\aol-search.xml
[2010/04/09 14:45:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/03 00:34:44 | 000,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
[2009/12/13 09:56:15 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/03/27 13:08:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [lxdvamon] C:\Program Files\Lexmark X5400 Series\lxdvamon.exe ()
O4 - HKLM..\Run: [lxdvmon.exe] C:\Program Files\Lexmark X5400 Series\lxdvmon.exe ()
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/27 13:12:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/03/27 13:12:43 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\AppData\Local\temp
[2010/03/27 13:08:28 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2010/03/27 12:58:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/27 11:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2010/03/27 09:46:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/02/01 22:49:04 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxdvserv.dll
[2010/02/01 22:49:04 | 000,954,368 | ---- | C] ( ) -- C:\Windows\System32\lxdvusb1.dll
[2010/02/01 22:49:04 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxdvpmui.dll
[2010/02/01 22:49:04 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDVhcp.dll
[2010/02/01 22:49:04 | 000,360,448 | ---- | C] ( ) -- C:\Windows\System32\lxdvinpa.dll
[2010/02/01 22:49:04 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdviesc.dll
[2010/02/01 22:49:04 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdvprox.dll
[2010/02/01 22:49:03 | 000,569,344 | ---- | C] ( ) -- C:\Windows\System32\lxdvlmpm.dll
[2010/02/01 22:49:02 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdvhbn3.dll
[2010/02/01 22:49:01 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomc.dll
[2010/02/01 22:49:01 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomm.dll

========== Files - Modified Within 14 Days ==========

[2010/04/09 15:33:52 | 002,621,440 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT
[2010/04/09 14:09:12 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/09 14:09:12 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/09 14:09:12 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/09 14:04:37 | 000,002,337 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/04/09 14:04:08 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/09 14:04:08 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/09 14:03:54 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/09 14:03:54 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/09 14:03:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/09 14:03:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/09 14:03:44 | 2951,127,040 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/08 22:57:05 | 000,524,288 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/08 22:57:05 | 000,065,536 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/08 22:56:47 | 002,008,924 | -H-- | M] () -- C:\Users\Erik Tran\AppData\Local\IconCache.db
[2010/04/08 22:24:28 | 000,081,920 | ---- | M] () -- C:\Windows\System32\in675609.dll
[2010/04/08 22:24:28 | 000,044,686 | -H-- | M] () -- C:\Windows\System32\in675609.dl_
[2010/04/08 19:04:09 | 000,044,686 | -H-- | M] () -- C:\Windows\System32\tl584457.dl_
[2010/03/27 13:08:38 | 000,000,251 | ---- | M] () -- C:\Windows\system.ini
[2010/03/27 13:08:24 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/03/27 12:58:38 | 003,903,606 | R--- | M] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/03/27 11:55:57 | 000,001,630 | ---- | M] () -- C:\Users\Erik Tran\Desktop\CCleaner.lnk
[2010/03/27 11:36:12 | 000,001,848 | ---- | M] () -- C:\Windows\System32\msexcr.ini

========== Files Created - No Company Name ==========

[2010/04/08 22:24:28 | 000,081,920 | ---- | C] () -- C:\Windows\System32\in675609.dll
[2010/04/08 22:24:28 | 000,044,686 | -H-- | C] () -- C:\Windows\System32\in675609.dl_
[2010/03/27 12:58:28 | 003,903,606 | R--- | C] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/03/27 11:36:12 | 000,001,848 | ---- | C] () -- C:\Windows\System32\msexcr.ini
[2010/03/27 11:12:56 | 000,044,686 | -H-- | C] () -- C:\Windows\System32\tl584457.dl_
[2010/03/13 21:25:31 | 000,000,680 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\d3d9caps.dat
[2010/03/07 09:22:30 | 000,003,584 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/01 22:52:04 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdvcoin.dll
[2010/02/01 22:49:17 | 000,000,060 | ---- | C] () -- C:\Windows\System32\lxdvrwrd.ini
[2010/02/01 22:49:05 | 000,348,160 | ---- | C] () -- C:\Windows\System32\LXDVinst.dll
[2010/02/01 22:49:02 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdvgrd.dll
[2009/12/13 11:54:20 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/13 09:11:12 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/13 09:11:07 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\QSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\AtStart.txt
[2009/12/13 06:25:22 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009/12/13 06:25:10 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009/12/13 06:24:44 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009/12/13 06:24:05 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009/12/13 06:22:45 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009/12/13 06:22:00 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/10/25 17:10:11 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2008/10/25 17:03:58 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2008/10/25 17:01:59 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2008/10/25 17:00:34 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2008/10/08 16:05:06 | 000,010,752 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2008/07/15 23:49:37 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdvvs.dll
[2008/01/14 18:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2007/09/06 13:40:36 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdvdrs.dll
[2007/08/10 12:49:54 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdvcaps.dll
[2007/07/16 10:53:09 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdvcnv4.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 02:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/12/13 09:57:44 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\acccore
[2010/01/13 00:05:36 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Datarescue
[2010/01/03 10:12:37 | 000,000,000 | -H-D | M] -- C:\Users\Erik Tran\AppData\Roaming\ijjigame
[2010/02/01 22:54:37 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Lexmark Productivity Studio
[2010/02/01 15:30:39 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mael
[2010/03/21 20:24:25 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\ManyCam
[2010/03/18 18:06:27 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\MySQL
[2010/02/03 17:52:31 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Nexon
[2010/03/17 21:14:57 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\nHancer
[2010/03/04 19:33:51 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Subversion
[2010/01/23 11:37:30 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\SystemRequirementsLab
[2010/01/19 22:43:08 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\TeamViewer
[2010/03/07 09:28:10 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\VSO
[2010/04/08 22:56:56 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:D06A4C76
< End of report >

[ali.B]

hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...r....html&st=15

Collect::
C:\Windows\System32\in675609.dll
C:\Windows\System32\in675609.dl_
C:\Windows\System32\msexcr.ini
C:\Windows\System32\tl584457.dl_

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[erikc4l]

Here is the log. After ComboFix did all the deletions and whatnot, at the end it said it had to upload files to the server for further analyzing and I pressed 'OK' so the upload was successful. After the log was produced I couldn't get on the internet even though it clearly said I was connected. So I did a restart and it worked but I wanted to ask was the restart necessary?

ComboFix 10-04-09.06 - Erik Tran 04/10/2010 10:34:57.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.2102 [GMT -7:00]
Running from: c:\users\Erik Tran\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Erik Tran\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\System32\in675609.dl_
file zipped: c:\windows\System32\tl584457.dl_
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\in675609.dl_
c:\windows\System32\tl584457.dl_

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-03-27 18:56 . 2010-03-27 18:56 -------- d-----w- c:\program files\Speccy
2010-03-27 16:46 . 2010-03-27 16:46 -------- d-----w- c:\program files\Common Files\Skype
2010-03-25 00:12 . 2010-03-25 00:12 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-24 23:20 . 2010-03-24 23:20 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 23:02 . 2010-03-24 23:02 -------- d-----w- C:\_OTL
2010-03-24 13:10 . 2010-03-24 13:10 -------- d-----w- c:\programdata\InstallShield
2010-03-24 05:36 . 2009-07-03 07:34 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2010-03-24 05:36 . 2009-07-01 17:25 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2010-03-24 05:36 . 2009-04-01 00:43 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2010-03-24 05:36 . 2009-01-29 18:53 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2010-03-22 03:22 . 2010-03-22 03:24 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\ManyCam
2010-03-22 03:22 . 2010-03-22 03:22 -------- d-----w- c:\program files\Ask.com
2010-03-19 21:07 . 2010-03-19 21:07 -------- d-----w- c:\program files\IObit
2010-03-18 02:03 . 2010-03-18 04:18 -------- d-----w- C:\Abyss Web Server
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\TortoiseSVN
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2010-03-17 01:08 . 2010-03-18 04:14 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\nHancer
2010-03-17 01:05 . 2010-03-17 01:08 -------- d-----w- c:\programdata\nHancer
2010-03-15 22:02 . 2010-03-20 17:20 -------- d-----w- C:\Temp
2010-03-15 21:55 . 2010-03-15 21:55 -------- d-----w- c:\program files\THQICE
2010-03-14 18:36 . 2010-03-14 18:36 -------- d-----w- c:\users\Erik Tran\AppData\Local\WLDM
2010-03-14 04:25 . 2010-03-14 04:25 680 ----a-w- c:\users\Erik Tran\AppData\Local\d3d9caps.dat
2010-03-13 19:17 . 2009-11-11 07:08 180224 ----a-w- c:\windows\system32\QTCF.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 17:30 . 2009-12-13 16:46 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Skype
2010-04-10 17:23 . 2009-12-13 16:48 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\skypePM
2010-04-10 17:21 . 2009-12-13 16:11 53307 ----a-w- c:\programdata\nvModes.dat
2010-03-27 19:55 . 2008-10-25 22:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 18:55 . 2009-12-15 01:37 -------- d-----w- c:\program files\CCleaner
2010-03-25 00:13 . 2009-12-13 16:55 -------- d-----w- c:\program files\AIM
2010-03-24 23:20 . 2009-12-13 18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 13:03 . 2008-10-25 22:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-24 03:50 . 2009-12-13 16:06 75264 ----a-w- c:\users\Erik Tran\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-19 01:06 . 2010-03-05 02:46 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\MySQL
2010-03-14 18:36 . 2009-12-13 17:27 -------- d-----w- c:\program files\Windows Live
2010-03-13 03:13 . 2009-12-13 18:06 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Apple Computer
2010-03-13 03:09 . 2009-12-13 18:02 -------- d-----w- c:\programdata\Apple
2010-03-09 23:05 . 2010-03-09 23:05 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-03-09 22:49 . 2010-03-09 22:49 -------- d-----w- c:\program files\dumps
2010-03-07 16:28 . 2010-03-07 16:26 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\VSO
2010-03-07 01:31 . 2008-10-26 00:13 -------- d-----w- c:\program files\Java
2010-03-07 01:28 . 2010-03-07 01:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-07 01:25 . 2010-02-20 18:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 03:53 . 2010-01-20 05:09 -------- d-----w- c:\program files\TeamViewer
2010-03-05 02:43 . 2010-03-05 02:43 -------- d-----w- c:\program files\Sun
2010-03-05 02:41 . 2010-03-05 02:41 -------- d-----w- c:\program files\MySQL
2010-03-05 02:35 . 2010-03-05 02:35 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\TortoiseSVN
2010-03-05 02:33 . 2010-03-05 02:33 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Subversion
2010-02-25 04:47 . 2010-02-25 04:47 1585608 ----a-w- c:\programdata\Skype\Plugins\Plugins\F35E193DC3E84933B83DE961D9AC33BF\SketchPad.exe
2010-02-24 03:16 . 2010-02-24 03:03 41 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences.dat
2010-02-24 03:08 . 2010-02-24 03:05 69 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences2.dat
2010-02-23 03:26 . 2010-02-23 03:26 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-22 23:08 . 2010-02-22 23:05 -------- d-----w- c:\programdata\NexonUS
2010-02-22 23:05 . 2010-02-22 23:05 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-02-22 23:05 . 2010-02-22 23:05 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-02-22 23:05 . 2010-02-22 23:05 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-02-22 23:05 . 2010-02-22 23:05 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-02-22 23:05 . 2010-02-22 23:05 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-02-22 23:05 . 2010-02-22 23:05 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-02-14 18:43 . 2010-02-14 03:41 -------- d-----w- c:\program files\Google
2010-01-23 21:14 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-22 17:24 . 2010-01-22 17:24 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2008-10-25 23:12 . 2008-10-25 22:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-26_21.32.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-04-10 17:22 44856 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-04-10 17:23 89180 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-13 16:18 . 2010-04-10 17:23 10422 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3384556573-3205605897-1395993902-1000_UserData.bin
- 2009-12-13 16:04 . 2010-03-25 00:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-13 16:04 . 2010-03-27 18:56 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-18 21:50 . 2010-03-27 18:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-18 21:50 . 2010-03-25 00:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-13 16:04 . 2010-03-25 00:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-13 16:04 . 2010-03-27 18:56 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-10 17:21 . 2010-04-10 17:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-26 21:16 . 2010-03-26 21:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-26 21:16 . 2010-03-26 21:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-10 17:21 . 2010-04-10 17:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-04-10 17:27 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-03-26 21:22 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-03-26 21:22 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-04-10 17:27 101350 c:\windows\System32\perfc009.dat
+ 2010-03-27 16:48 . 2010-03-27 16:48 700416 c:\windows\Installer\1c533.msi
+ 2010-03-27 16:46 . 2010-03-27 16:46 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
- 2009-12-13 16:45 . 2009-12-13 16:45 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-03-27 16:46 . 2010-03-27 16:46 1575936 c:\windows\Installer\1c52a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 126976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]
"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-07-24 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-06 3478288]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2008-10-08 3328]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2008-07-24 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-12 66664]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.allkpop.com/category/music
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 10:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-10 10:42:10
ComboFix-quarantined-files.txt 2010-04-10 17:42
ComboFix2.txt 2010-03-27 20:12
ComboFix3.txt 2010-01-24 00:38

Pre-Run: 166,675,718,144 bytes free
Post-Run: 166,650,728,448 bytes free

- - End Of File - - BAB8E1AF9777C2AB75805C7FBC7955D4
Upload was successful

[ali.B]

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[erikc4l]

OTL logfile created on: 4/10/2010 9:14:44 PM - Run 7
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Erik Tran\Desktop\GeekstoGo
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 154.57 Gb Free Space | 69.62% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.76 Gb Free Space | 16.15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ERIKTRAN-PC
Current User Name: Erik Tran
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 20:19:28 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
PRC - [2010/03/08 14:04:49 | 003,972,440 | ---- | M] (AOL Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2009/11/20 16:46:32 | 000,175,888 | ---- | M] () -- C:\Program Files\IObit\Game Booster\gbtray.exe
PRC - [2009/11/12 17:33:04 | 010,358,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2009/09/30 20:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/02/06 19:21:00 | 000,583,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\wlcsdk.exe
PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/08/05 11:19:40 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark X5400 Series\lxdvamon.exe
PRC - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) -- C:\Windows\System32\lxdvcoms.exe
PRC - [2008/01/20 19:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
MOD - [2008/01/20 19:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
SRV - [2010/01/06 09:13:00 | 003,478,288 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxdvcoms.exe -- (lxdv_device)
SRV - [2008/07/24 06:33:43 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe -- (lxdvCATSCustConnectService)
SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.allkpop.c...category/music"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 20:19:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 20:19:31 | 000,000,000 | ---D | M]

[2009/12/13 09:41:06 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Extensions
[2010/04/10 14:50:52 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions
[2010/01/16 14:54:42 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/01/16 12:09:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}
[2010/01/12 17:59:02 | 000,000,000 | ---D | M] (AOL Radio Toolbar) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}(97)
[2010/02/03 17:45:23 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/08 16:58:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/13 12:23:24 | 000,002,283 | ---- | M] () -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\searchplugins\aol-search.xml
[2010/04/10 14:50:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/03 00:34:44 | 000,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
[2009/12/13 09:56:15 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/03/27 13:08:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [lxdvamon] C:\Program Files\Lexmark X5400 Series\lxdvamon.exe ()
O4 - HKLM..\Run: [lxdvmon.exe] C:\Program Files\Lexmark X5400 Series\lxdvmon.exe ()
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/10 11:31:25 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\Desktop\rBot_4
[2010/04/10 10:42:52 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/10 10:42:51 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/04/10 10:42:51 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\AppData\Local\temp
[2010/04/10 10:32:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/10 10:32:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/10 10:32:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/10 10:32:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/02/01 22:49:04 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxdvserv.dll
[2010/02/01 22:49:04 | 000,954,368 | ---- | C] ( ) -- C:\Windows\System32\lxdvusb1.dll
[2010/02/01 22:49:04 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxdvpmui.dll
[2010/02/01 22:49:04 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDVhcp.dll
[2010/02/01 22:49:04 | 000,360,448 | ---- | C] ( ) -- C:\Windows\System32\lxdvinpa.dll
[2010/02/01 22:49:04 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdviesc.dll
[2010/02/01 22:49:04 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdvprox.dll
[2010/02/01 22:49:03 | 000,569,344 | ---- | C] ( ) -- C:\Windows\System32\lxdvlmpm.dll
[2010/02/01 22:49:02 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdvhbn3.dll
[2010/02/01 22:49:01 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomc.dll
[2010/02/01 22:49:01 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomm.dll

========== Files - Modified Within 14 Days ==========

[2010/04/10 21:16:23 | 002,621,440 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT
[2010/04/10 21:04:22 | 000,029,902 | ---- | M] () -- C:\Users\Erik Tran\Desktop\2-19.gif
[2010/04/10 20:46:34 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/10 20:46:34 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/10 20:37:26 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/10 20:37:23 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/10 12:24:41 | 002,164,562 | -H-- | M] () -- C:\Users\Erik Tran\AppData\Local\IconCache.db
[2010/04/10 10:51:24 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/10 10:51:24 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/10 10:51:24 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/10 10:46:55 | 000,002,337 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/04/10 10:46:34 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/10 10:46:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/10 10:46:29 | 2951,036,928 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/10 10:45:48 | 000,524,288 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/10 10:45:48 | 000,065,536 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/10 10:40:19 | 000,000,251 | ---- | M] () -- C:\Windows\system.ini
[2010/04/10 10:32:17 | 003,911,419 | R--- | M] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/04/09 22:39:11 | 000,000,792 | ---- | M] () -- C:\Users\Erik Tran\Desktop\NudieStory - Shortcut.lnk

========== Files Created - No Company Name ==========

[2010/04/10 21:04:22 | 000,029,902 | ---- | C] () -- C:\Users\Erik Tran\Desktop\2-19.gif
[2010/04/10 10:32:50 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/10 10:32:50 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/10 10:32:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/10 10:32:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/10 10:32:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/10 10:32:07 | 003,911,419 | R--- | C] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/04/09 22:39:11 | 000,000,792 | ---- | C] () -- C:\Users\Erik Tran\Desktop\NudieStory - Shortcut.lnk
[2010/03/13 21:25:31 | 000,000,680 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\d3d9caps.dat
[2010/03/07 09:22:30 | 000,003,584 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/01 22:52:04 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdvcoin.dll
[2010/02/01 22:49:17 | 000,000,060 | ---- | C] () -- C:\Windows\System32\lxdvrwrd.ini
[2010/02/01 22:49:05 | 000,348,160 | ---- | C] () -- C:\Windows\System32\LXDVinst.dll
[2010/02/01 22:49:02 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdvgrd.dll
[2009/12/13 11:54:20 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/13 09:11:12 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/13 09:11:07 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\QSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\AtStart.txt
[2009/12/13 06:25:22 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009/12/13 06:25:10 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009/12/13 06:24:44 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009/12/13 06:24:05 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009/12/13 06:22:45 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009/12/13 06:22:00 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/10/25 17:10:11 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2008/10/25 17:03:58 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2008/10/25 17:01:59 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2008/10/25 17:00:34 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2008/10/08 16:05:06 | 000,010,752 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2008/07/15 23:49:37 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdvvs.dll
[2008/01/14 18:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2007/09/06 13:40:36 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdvdrs.dll
[2007/08/10 12:49:54 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdvcaps.dll
[2007/07/16 10:53:09 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdvcnv4.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 02:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/12/13 09:57:44 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\acccore
[2010/01/13 00:05:36 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Datarescue
[2010/01/03 10:12:37 | 000,000,000 | -H-D | M] -- C:\Users\Erik Tran\AppData\Roaming\ijjigame
[2010/02/01 22:54:37 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Lexmark Productivity Studio
[2010/02/01 15:30:39 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mael
[2010/03/21 20:24:25 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\ManyCam
[2010/03/18 18:06:27 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\MySQL
[2010/02/03 17:52:31 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Nexon
[2010/03/17 21:14:57 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\nHancer
[2010/03/04 19:33:51 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Subversion
[2010/01/23 11:37:30 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\SystemRequirementsLab
[2010/01/19 22:43:08 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\TeamViewer
[2010/03/07 09:28:10 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\VSO
[2010/04/10 10:45:43 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:D06A4C76
< End of report >

[ali.B]

Step 1

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2

Update MalwareBytes Antimalware and Run a quick Scan.
Post the log it produces

Step 3

Please download JavaRa to your desktop and unzip it to it's own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Next

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Step 4

Things i would like to see in your reply:

• Malwarebytes Results.
• Kaspersky WebScanner Report
• Update on how your computer is running

[erikc4l]

Thanks for replying. My computer has been running fine ever since I found the virus and it's still running the same way. Here are the logs you requested. Sorry it took awhile.

MBAM Log
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

4/11/2010 11:27:07 AM
mbam-log-2010-04-11 (11-27-07).txt

Scan type: Quick scan
Objects scanned: 105561
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky WebScanner Report
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, April 11, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 11, 2010 15:38:17
Records in database: 3935619
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 125738
Threats found: 4
Infected objects found: 43
Suspicious objects found: 0
Scan duration: 04:43:33


File name / Threat / Threats count
C:\Counter-Strike 2D\cs2d_dedicated.exe Infected: Virus.Win32.Sality.ab 1
C:\Fraps\fraps.exe Infected: Virus.Win32.Sality.ab 1
C:\Fraps\uninstall.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\BTBExec.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\devcon.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\EndProcess.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\HPLocale.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\HPQSI.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\Locale.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\Sleep.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\BIN\WizInstaller.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\BTBHost\AddGadgets.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\BTBHost\BuildWC.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\BTBHost\SetEnv.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\EasySetup\VCWMerge.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\HPAdvisor\Primer.exe Infected: Virus.Win32.Sality.ab 1
C:\HP\HPQWare\HPAdvisor\TotalMemory.exe Infected: Virus.Win32.Sality.ab 1
C:\Nexon\Mabinogi\ngmsetupus.exe Infected: Virus.Win32.Sality.ab 1
C:\Nexon\Mabinogi\Tiara's Moonshine Mod G8S5-V55 Uninstaller.exe Infected: Virus.Win32.Sality.ab 1
C:\Nexon\Mabinogi\Tiara's Moonshine Mod G9S1-V56 Uninstaller.exe Infected: Virus.Win32.Sality.ab 1
C:\Nexon\MapleStory\hshield\hslogmgr.exe Infected: Virus.Win32.Sality.ab 1
C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\Twain\TWUNK_32.EXE Infected: Virus.Win32.Sality.ab 1
C:\Program Files\Abbyy FineReader 6.0 Sprint\Support\Ainfo.exe Infected: Virus.Win32.Sality.ab 1
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe Infected: Virus.Win32.Sality.ab 1
C:\Qoobox\Quarantine\C\Windows\System32\in675609.dl_.vir Infected: Trojan.Win32.KillAV.nh 1
C:\Qoobox\Quarantine\C\Windows\System32\tl584457.dll.vir Infected: Trojan.Win32.KillAV.nh 1
C:\Qoobox\Quarantine\C\Windows\System32\tl584457.dl_.vir Infected: Trojan.Win32.KillAV.nh 1
C:\Qoobox\Quarantine\[4]-Submit_2010-04-10_10.34.32.zip Infected: Trojan.Win32.KillAV.nh 2
C:\Users\Erik Tran\Desktop\GeekstoGo\avz4\avz4\Quarantine\2010-03-27\avz00001.dta Infected: Trojan.Win32.KillAV.nh 1
C:\Users\Erik Tran\Desktop\GeekstoGo\avz4\avz4\Quarantine\2010-03-27\avz00002.dta Infected: Trojan.Win32.KillAV.nh 1
C:\Users\Erik Tran\Desktop\Random\MapleStory\v75\AkaiMS.exe Infected: Virus.Win32.Sality.ab 1
C:\Users\Erik Tran\Desktop\Random\MapleStory\v75\AkaiMS2.exe Infected: Trojan-GameThief.Win32.OnLineGames.wbxl 1
C:\Users\Erik Tran\Desktop\rBot_4\UpdateAPI.dll Infected: Trojan.Win32.Genome.gggl 1
C:\_OTL\MovedFiles\03242010_160229\C_Windows\System32\in675609.dl_ Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03242010_160229\C_Windows\System32\tl584457.dl_ Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03262010_141544\C_Windows\System32\ry675609.dll Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03262010_141544\C_Windows\System32\ry675609.dl_ Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03262010_141544\C_Windows\System32\tl584457.dll Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03262010_141544\C_Windows\System32\tl584457.dl_ Infected: Trojan.Win32.KillAV.nh 1
C:\_OTL\MovedFiles\03272010_094956\C_Windows\System32\tl584457.dl_ Infected: Trojan.Win32.KillAV.nh 1
D:\boot\BOOTSECT.EXE Infected: Virus.Win32.Sality.ab 1
D:\HP\RECOVERY\RestoreWiz.exe Infected: Virus.Win32.Sality.ab 1

Selected area has been scanned.

[ali.B]

hi

looks like there are still some work to do

Step 1

Download SalityKiller.zip from Here and Extract SalityKiller.exe to C:\

• Click Start > Run
• Type in the run box the following:
  
  c:\salitykiller.exe -a -j -k -l c:\SKreport.txt
  
  
• A black screen will appear and start the scan
• Once it's done, it will ask you Press any key to continue. Please do press any key
• Go to C:\ then locate SKreport.log, post the contents of SKreport.log in your next reply.

Step 2

Delete your current copy of ComboFix

Then

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt

Step 3

Download Dr.Web CureIt to the desktop.

• Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, chose the Complete Scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look and see if you can click the following icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer to allow files that were in use to be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Step 4

Things I would like to see in your reply:

• SalityKiller Log SKreport.txt
• Combofix Log
• DrWeb CureIt Log

[erikc4l]

I have a few questions before following the above instructions. I play on private servers on a game and some of them have false viruses but I don't want to delete the files to the game as the file does work. And the files are located at C:\Users\Erik Tran\Desktop\Random\MapleStory\ so my question is would the instructions be deleting the files in the specified location? Actually nevermind that, but could you specify in your instructions in the future what files might be removed? Here are the logs though. My computer is running a lot different in a bad way after running the SalityKiller as after I ran that and completed it, then ran Combofix. After Combofix completed I couldn't open any programs as it just showed an error message stating something similar to 'Illegal registry key for deletion' or something like that. So I did a restart and as I opened 'Windows Live Messenger' my Display Picture/Avatar on the login screen disappeared. I did not try logging in so could you please explain why this is happening?

SKreport.txt
15:46:03:290 3376 scanning threads ...
15:46:08:369 3376
15:46:08:369 3376 scanning processes ...
15:46:08:596 3376
15:46:08:596 3376 removing autorun.inf files ...
15:46:08:599 3376
15:46:08:599 3376 Disabling autorun on all drive types
15:46:08:600 0448
Monitoring thread started
15:46:08:602 3376
15:46:08:602 3376 restoring SafeBoot registry node
15:46:08:603 3376 Restoring safe/network boot registry branches for windows Vista/2008
15:46:08:618 3376
15:46:08:618 3376 fixing registry ...
15:46:08:620 3376 SalityRegCure: Restoring general registry keys
15:46:08:626 3376 SalityRegCure: Fixing system.ini
15:46:08:628 3376
15:46:08:628 3376 scanning drives ...
15:46:08:629 3376 scanning C:\ ...
16:47:49:431 3376 scanning D:\ ...
16:48:00:484 3376
16:48:15:080 0448
Monitoring thread stopped
16:48:15:109 3376
completed
16:48:15:132 3376 Infected files: 0
16:48:15:135 3376 Infected processes: 0
16:48:15:158 3376 Infected threads: 0
16:48:15:161 3376 Cured files: 0
16:48:15:182 3376 Executed registry scripts: 1

Combofix Log
ComboFix 10-04-12.01 - Erik Tran 04/12/2010 17:01:25.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1571 [GMT -7:00]
Running from: c:\users\Erik Tran\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 00:10 . 2010-04-13 00:10 -------- d-----w- c:\users\Erik Tran\AppData\Local\temp
2010-04-13 00:10 . 2010-04-13 00:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-13 00:10 . 2010-04-13 00:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-12 20:54 . 2010-04-08 16:06 157520 ----a-w- C:\SalityKiller.exe
2010-04-11 23:53 . 2010-04-11 23:53 81920 ----a-w- c:\windows\system32\tl584457.dll
2010-03-27 18:56 . 2010-03-27 18:56 -------- d-----w- c:\program files\Speccy
2010-03-27 16:46 . 2010-03-27 16:46 -------- d-----w- c:\program files\Common Files\Skype
2010-03-25 00:12 . 2010-03-25 00:12 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-24 23:20 . 2010-04-11 18:22 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 23:02 . 2010-03-24 23:02 -------- d-----w- C:\_OTL
2010-03-24 13:10 . 2010-03-24 13:10 -------- d-----w- c:\programdata\InstallShield
2010-03-24 05:36 . 2009-07-03 07:34 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2010-03-24 05:36 . 2009-07-01 17:25 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2010-03-24 05:36 . 2009-04-01 00:43 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2010-03-24 05:36 . 2009-07-03 07:34 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2010-03-24 05:36 . 2009-01-29 18:53 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2010-03-22 03:22 . 2010-03-22 03:24 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\ManyCam
2010-03-22 03:22 . 2010-03-22 03:22 -------- d-----w- c:\program files\Ask.com
2010-03-19 21:07 . 2010-03-19 21:07 -------- d-----w- c:\program files\IObit
2010-03-18 02:03 . 2010-03-18 04:18 -------- d-----w- C:\Abyss Web Server
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\TortoiseSVN
2010-03-18 00:05 . 2010-03-18 00:05 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2010-03-17 01:08 . 2010-03-18 04:14 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\nHancer
2010-03-17 01:05 . 2010-03-17 01:08 -------- d-----w- c:\programdata\nHancer
2010-03-15 22:02 . 2010-03-20 17:20 -------- d-----w- C:\Temp
2010-03-15 21:55 . 2010-03-15 21:55 -------- d-----w- c:\program files\THQICE
2010-03-14 18:36 . 2010-03-14 18:36 -------- d-----w- c:\users\Erik Tran\AppData\Local\WLDM
2010-03-14 04:25 . 2010-03-14 04:25 680 ----a-w- c:\users\Erik Tran\AppData\Local\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 23:20 . 2009-12-13 16:11 53307 ----a-w- c:\programdata\nvModes.dat
2010-04-12 06:24 . 2009-12-13 16:46 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Skype
2010-04-12 02:17 . 2009-12-13 16:48 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\skypePM
2010-04-11 18:38 . 2010-02-20 18:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-11 18:38 . 2010-04-11 18:38 0 ----a-w- c:\windows\system32\REN84AB.tmp
2010-04-11 18:38 . 2010-04-11 18:38 0 ----a-w- c:\windows\system32\REN84AA.tmp
2010-04-11 18:38 . 2010-04-11 18:38 0 ----a-w- c:\windows\system32\REN84A9.tmp
2010-04-11 18:34 . 2008-10-26 00:13 -------- d-----w- c:\program files\Java
2010-04-11 18:22 . 2009-12-13 18:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 07:46 . 2009-12-13 18:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-12-13 18:55 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 19:55 . 2008-10-25 22:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 18:55 . 2009-12-15 01:37 -------- d-----w- c:\program files\CCleaner
2010-03-25 00:13 . 2009-12-13 16:55 -------- d-----w- c:\program files\AIM
2010-03-24 13:03 . 2008-10-25 22:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-24 03:50 . 2009-12-13 16:06 75264 ----a-w- c:\users\Erik Tran\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-19 01:06 . 2010-03-05 02:46 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\MySQL
2010-03-14 18:36 . 2009-12-13 17:27 -------- d-----w- c:\program files\Windows Live
2010-03-13 03:13 . 2009-12-13 18:06 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Apple Computer
2010-03-13 03:09 . 2009-12-13 18:02 -------- d-----w- c:\programdata\Apple
2010-03-09 23:05 . 2010-03-09 23:05 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-03-09 22:49 . 2010-03-09 22:49 -------- d-----w- c:\program files\dumps
2010-03-07 16:28 . 2010-03-07 16:26 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\VSO
2010-03-07 01:28 . 2010-03-07 01:28 -------- d-----w- c:\program files\Common Files\Java
2010-03-05 03:53 . 2010-01-20 05:09 -------- d-----w- c:\program files\TeamViewer
2010-03-05 02:43 . 2010-03-05 02:43 -------- d-----w- c:\program files\Sun
2010-03-05 02:41 . 2010-03-05 02:41 -------- d-----w- c:\program files\MySQL
2010-03-05 02:35 . 2010-03-05 02:35 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\TortoiseSVN
2010-03-05 02:33 . 2010-03-05 02:33 -------- d-----w- c:\users\Erik Tran\AppData\Roaming\Subversion
2010-02-25 04:47 . 2010-02-25 04:47 1585608 ----a-w- c:\programdata\Skype\Plugins\Plugins\F35E193DC3E84933B83DE961D9AC33BF\SketchPad.exe
2010-02-24 03:16 . 2010-02-24 03:03 41 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences.dat
2010-02-24 03:08 . 2010-02-24 03:05 69 ----a-w- c:\users\Erik Tran\jagex_runescape_preferences2.dat
2010-02-23 03:26 . 2010-02-23 03:26 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-22 23:08 . 2010-02-22 23:05 -------- d-----w- c:\programdata\NexonUS
2010-02-22 23:05 . 2010-02-22 23:05 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-02-22 23:05 . 2010-02-22 23:05 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-02-22 23:05 . 2010-02-22 23:05 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-02-22 23:05 . 2010-02-22 23:05 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-02-22 23:05 . 2010-02-22 23:05 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-02-22 23:05 . 2010-02-22 23:05 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-02-14 18:43 . 2010-02-14 03:41 -------- d-----w- c:\program files\Google
2010-01-23 21:14 . 2008-01-21 02:23 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-23 18:37 . 2010-01-23 18:37 138240 ----a-w- c:\users\Erik Tran\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-22 17:24 . 2010-01-22 17:24 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2008-10-25 23:12 . 2008-10-25 22:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-26_21.32.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-04-12 20:52 45068 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-04-12 20:52 89180 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-13 16:18 . 2010-04-12 20:52 10430 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3384556573-3205605897-1395993902-1000_UserData.bin
+ 2009-12-13 16:04 . 2010-04-12 22:56 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-13 16:04 . 2010-03-25 00:13 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-18 21:50 . 2010-03-25 00:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-12 22:56 . 2010-04-12 22:56 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-13 16:04 . 2010-03-25 00:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-13 16:04 . 2010-04-12 22:56 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-26 21:16 . 2010-03-26 21:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-12 20:50 . 2010-04-12 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-03-26 21:16 . 2010-03-26 21:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-12 20:50 . 2010-04-12 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2010-03-26 21:22 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-04-12 20:56 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-04-12 20:56 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-03-26 21:22 101350 c:\windows\System32\perfc009.dat
- 2010-03-07 01:26 . 2010-03-07 01:25 153376 c:\windows\System32\javaws.exe
+ 2010-04-11 18:38 . 2010-04-11 18:38 153376 c:\windows\System32\javaws.exe
+ 2010-04-11 18:38 . 2010-04-11 18:38 145184 c:\windows\System32\javaw.exe
- 2010-03-07 01:26 . 2010-03-07 01:25 145184 c:\windows\System32\javaw.exe
- 2010-03-07 01:26 . 2010-03-07 01:25 145184 c:\windows\System32\java.exe
+ 2010-04-11 18:38 . 2010-04-11 18:38 145184 c:\windows\System32\java.exe
+ 2010-04-11 18:38 . 2010-04-11 18:38 577536 c:\windows\Installer\f2e7d.msi
+ 2010-03-27 16:48 . 2010-03-27 16:48 700416 c:\windows\Installer\1c533.msi
- 2009-12-13 16:45 . 2009-12-13 16:45 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-03-27 16:46 . 2010-03-27 16:46 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-03-27 16:46 . 2010-03-27 16:46 1575936 c:\windows\Installer\1c52a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 126976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]
"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]
"WindowsLivePhone"="c:\program files\Windows Live\Device Manager\msgrdvmn.exe" [2008-12-22 787816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [2008-07-24 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-06 3478288]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2008-10-08 3328]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2008-07-24 594600]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-12 66664]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.allkpop.com/category/music
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 17:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-12 17:14:51
ComboFix-quarantined-files.txt 2010-04-13 00:14
ComboFix2.txt 2010-04-10 17:42
ComboFix3.txt 2010-03-27 20:12
ComboFix4.txt 2010-01-24 00:38

Pre-Run: 167,012,593,664 bytes free
Post-Run: 167,114,215,424 bytes free

- - End Of File - - E90916F263C6425B2CC4788985F3FF27

I uploaded the 'DrWeb CureIt' log to mediafire as I don't have Excel installed and I can't attached that file on here. Hope that is fine. http://www.mediafire.com/?ntzyyoktuye

OTL Log
OTL logfile created on: 4/13/2010 1:53:17 PM - Run 8
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Erik Tran\Desktop\GeekstoGo
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.01 Gb Total Space | 155.76 Gb Free Space | 70.16% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.76 Gb Free Space | 16.15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ERIKTRAN-PC
Current User Name: Erik Tran
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 20:19:28 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
PRC - [2008/12/22 14:59:20 | 000,787,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe
PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/08/05 11:19:41 | 000,455,336 | ---- | M] () -- C:\Program Files\Lexmark X5400 Series\lxdvmon.exe
PRC - [2008/08/05 11:19:40 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark X5400 Series\lxdvamon.exe
PRC - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) -- C:\Windows\System32\lxdvcoms.exe
PRC - [2008/01/20 19:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/24 15:58:27 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\GeekstoGo\OTL.exe
MOD - [2008/01/20 19:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
SRV - [2010/01/06 09:13:00 | 003,478,288 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/07/24 06:33:53 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxdvcoms.exe -- (lxdv_device)
SRV - [2008/07/24 06:33:43 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe -- (lxdvCATSCustConnectService)
SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...ion&pf=cnnb
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.allkpop.c...category/music"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 20:19:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 20:19:31 | 000,000,000 | ---D | M]

[2009/12/13 09:41:06 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Extensions
[2010/04/12 15:03:24 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions
[2010/01/16 14:54:42 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/01/16 12:09:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}
[2010/01/12 17:59:02 | 000,000,000 | ---D | M] (AOL Radio Toolbar) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{6ad56361-628f-471b-8f9d-4c338973a87d}(97)
[2010/02/03 17:45:23 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/01/08 16:58:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/13 12:23:24 | 000,002,283 | ---- | M] () -- C:\Users\Erik Tran\AppData\Roaming\Mozilla\Firefox\Profiles\4vnfz2sn.default\searchplugins\aol-search.xml
[2010/04/12 15:03:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/03 00:34:44 | 000,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
[2009/12/13 09:56:15 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/03/27 13:08:24 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [lxdvamon] C:\Program Files\Lexmark X5400 Series\lxdvamon.exe ()
O4 - HKLM..\Run: [lxdvmon.exe] C:\Program Files\Lexmark X5400 Series\lxdvmon.exe ()
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WindowsLivePhone] C:\Program Files\Windows Live\Device Manager\msgrdvmn.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Erik Tran\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/12 17:26:38 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\DoctorWeb
[2010/04/12 17:14:53 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/04/12 17:14:53 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\AppData\Local\temp
[2010/04/12 17:13:40 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/12 16:57:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/04/12 13:54:16 | 000,157,520 | ---- | C] (Kaspersky Lab) -- C:\SalityKiller.exe
[2010/04/11 11:27:48 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\Desktop\logs aprill 11
[2010/04/11 11:19:39 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\TFC.exe
[2010/04/10 11:31:25 | 000,000,000 | ---D | C] -- C:\Users\Erik Tran\Desktop\rBot_4
[2010/04/10 10:32:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/10 10:32:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/10 10:32:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/02/01 22:49:04 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\lxdvserv.dll
[2010/02/01 22:49:04 | 000,954,368 | ---- | C] ( ) -- C:\Windows\System32\lxdvusb1.dll
[2010/02/01 22:49:04 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxdvpmui.dll
[2010/02/01 22:49:04 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\LXDVhcp.dll
[2010/02/01 22:49:04 | 000,360,448 | ---- | C] ( ) -- C:\Windows\System32\lxdvinpa.dll
[2010/02/01 22:49:04 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdviesc.dll
[2010/02/01 22:49:04 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdvprox.dll
[2010/02/01 22:49:03 | 000,569,344 | ---- | C] ( ) -- C:\Windows\System32\lxdvlmpm.dll
[2010/02/01 22:49:02 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdvhbn3.dll
[2010/02/01 22:49:01 | 000,851,968 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomc.dll
[2010/02/01 22:49:01 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdvcomm.dll
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/13 13:53:22 | 002,621,440 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT
[2010/04/13 13:51:58 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/13 13:51:58 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/13 13:51:58 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/13 13:48:00 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/13 13:48:00 | 000,053,307 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/13 13:47:24 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/13 13:47:24 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/13 13:47:19 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/13 13:47:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/13 13:47:14 | 2951,098,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/13 06:08:37 | 000,524,288 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/13 06:08:37 | 000,065,536 | -HS- | M] () -- C:\Users\Erik Tran\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/13 06:08:32 | 002,167,738 | -H-- | M] () -- C:\Users\Erik Tran\AppData\Local\IconCache.db
[2010/04/13 06:08:05 | 000,002,918 | ---- | M] () -- C:\Users\Erik Tran\Desktop\DrWeb.csv
[2010/04/12 21:32:58 | 000,001,895 | ---- | M] () -- C:\Windows\System32\msexcr.ini
[2010/04/12 17:22:29 | 037,309,680 | ---- | M] () -- C:\Users\Erik Tran\Desktop\drweb-cureit.exe
[2010/04/12 17:10:45 | 000,000,229 | ---- | M] () -- C:\Windows\system.ini
[2010/04/12 16:57:48 | 003,912,873 | R--- | M] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/04/11 22:40:30 | 000,000,770 | ---- | M] () -- C:\Users\Erik Tran\Desktop\AkaiMS - Shortcut.lnk
[2010/04/11 19:17:29 | 000,002,337 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/04/11 11:19:40 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Erik Tran\Desktop\TFC.exe
[2010/04/10 21:04:22 | 000,029,902 | ---- | M] () -- C:\Users\Erik Tran\Desktop\2-19.gif
[2010/04/09 22:39:11 | 000,000,792 | ---- | M] () -- C:\Users\Erik Tran\Desktop\NudieStory - Shortcut.lnk
[2010/04/08 09:06:50 | 000,157,520 | ---- | M] (Kaspersky Lab) -- C:\SalityKiller.exe
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 06:08:05 | 000,002,918 | ---- | C] () -- C:\Users\Erik Tran\Desktop\DrWeb.csv
[2010/04/12 21:32:57 | 000,001,895 | ---- | C] () -- C:\Windows\System32\msexcr.ini
[2010/04/12 17:20:55 | 037,309,680 | ---- | C] () -- C:\Users\Erik Tran\Desktop\drweb-cureit.exe
[2010/04/11 22:40:30 | 000,000,770 | ---- | C] () -- C:\Users\Erik Tran\Desktop\AkaiMS - Shortcut.lnk
[2010/04/10 21:04:22 | 000,029,902 | ---- | C] () -- C:\Users\Erik Tran\Desktop\2-19.gif
[2010/04/10 10:32:50 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/10 10:32:50 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/10 10:32:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/10 10:32:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/10 10:32:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/10 10:32:07 | 003,912,873 | R--- | C] () -- C:\Users\Erik Tran\Desktop\Combo-Fix.exe
[2010/04/09 22:39:11 | 000,000,792 | ---- | C] () -- C:\Users\Erik Tran\Desktop\NudieStory - Shortcut.lnk
[2010/03/13 21:25:31 | 000,000,680 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\d3d9caps.dat
[2010/03/07 09:22:30 | 000,003,584 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/01 22:52:04 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdvcoin.dll
[2010/02/01 22:49:17 | 000,000,060 | ---- | C] () -- C:\Windows\System32\lxdvrwrd.ini
[2010/02/01 22:49:05 | 000,348,160 | ---- | C] () -- C:\Windows\System32\LXDVinst.dll
[2010/02/01 22:49:02 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdvgrd.dll
[2009/12/13 11:54:20 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/13 09:11:12 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/13 09:11:07 | 000,053,307 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\QSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\DSwitch.txt
[2009/12/13 09:08:08 | 000,000,000 | ---- | C] () -- C:\Users\Erik Tran\AppData\Local\AtStart.txt
[2009/12/13 06:25:22 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009/12/13 06:25:10 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009/12/13 06:24:44 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009/12/13 06:24:05 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009/12/13 06:22:45 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009/12/13 06:22:00 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/08/03 01:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 01:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 01:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/10/25 17:10:11 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2008/10/25 17:03:58 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2008/10/25 17:01:59 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2008/10/25 17:00:34 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2008/10/08 16:05:06 | 000,010,752 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2008/07/15 23:49:37 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdvvs.dll
[2008/01/14 18:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2007/09/06 13:40:36 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdvdrs.dll
[2007/08/10 12:49:54 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdvcaps.dll
[2007/07/16 10:53:09 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdvcnv4.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 02:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/12/13 09:57:44 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\acccore
[2010/01/13 00:05:36 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Datarescue
[2010/01/03 10:12:37 | 000,000,000 | -H-D | M] -- C:\Users\Erik Tran\AppData\Roaming\ijjigame
[2010/02/01 22:54:37 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Lexmark Productivity Studio
[2010/02/01 15:30:39 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Mael
[2010/03/21 20:24:25 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\ManyCam
[2010/03/18 18:06:27 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\MySQL
[2010/02/03 17:52:31 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Nexon
[2010/03/17 21:14:57 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\nHancer
[2010/03/04 19:33:51 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\Subversion
[2010/01/23 11:37:30 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\SystemRequirementsLab
[2010/01/19 22:43:08 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\TeamViewer
[2010/03/07 09:28:10 | 000,000,000 | ---D | M] -- C:\Users\Erik Tran\AppData\Roaming\VSO
[2010/04/13 06:08:43 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:D06A4C76
< End of report >

Edited by erikc4l, 13 April 2010 - 02:55 PM.