Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

keeps detecting a variant of win32/dorkbot.a worm

Started by tor666 , Oct 16 2011 07:51 AM

This topic is locked

#1
tor666

Posted 16 October 2011 - 07:51 AM

Member

Member
11 posts

I have eset nod32 antivirus 4. it keeps detecting a variant of Win32/Dorkbot.A worm and is unable to clean it.

I have noticed that i cannot access major antivirus websites. i have tried combofix and installed spybot s & d but the problem still persists. here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:51 PM, on 10/16/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.103.200:7080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6741 bytes

thanks in advance!

Attached Thumbnails

#2
tor666

Posted 16 October 2011 - 07:55 AM

Member

Topic Starter
Member
11 posts

I can't post OTL logs since i can't download it. the malware is prohibiting me from accessing the download page

#3
Essexboy

Posted 16 October 2011 - 08:17 AM

GeekU Moderator

Retired Staff
69,964 posts

Could you post the Combofix log please

Download the attached zip file to your Desktop
Extract OTL to the desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select All Users
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post both logs

THEN

Download this zip file to your desktop.
Extract aswMBR
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

#4
tor666

Posted 16 October 2011 - 07:46 PM

Member

Topic Starter
Member
11 posts

Here's the OTL.txt

OTL logfile created on: 10/17/2011 9:43:29 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\PC\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.29 Mb Total Physical Memory | 384.70 Mb Available Physical Memory | 50.14% Memory free
1.83 Gb Paging File | 1.52 Gb Available in Paging File | 82.94% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 4.94 Gb Free Space | 25.29% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 10.61 Gb Free Space | 59.80% Space Free | Partition Type: NTFS

Computer Name: PC-E733664EE655 | User Name: PC | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/16 14:36:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
PRC - [2011/08/30 16:20:42 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2011/08/17 00:28:14 | 003,120,448 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
PRC - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2011/01/12 16:41:24 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/06/28 17:39:56 | 000,137,216 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvraidservice.exe

========== Modules (No Company Name) ==========

MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/07/10 14:30:00 | 004,125,176 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2011/01/12 16:44:02 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

========== Driver Services (SafeList) ==========

DRV - [2011/09/09 10:30:48 | 000,232,512 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2010/12/21 15:04:06 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2010/12/21 15:04:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/12/21 13:47:38 | 000,094,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/12/30 11:20:56 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)
DRV - [2007/01/30 03:57:50 | 004,474,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/24 00:39:12 | 000,038,656 | R--- | M] (Attansic Technology corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atl01_xp.sys -- (AtcL001)
DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/29 02:38:56 | 000,105,088 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/02/02 16:08:46 | 000,021,442 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- D:\Games\Ragnarok Online\npkcrypt.sys -- (npkcrypt)
DRV - [2004/08/12 19:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-2147138339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-2147138339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.103.200:7080

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.46: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2011/08/30 16:21:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2011/08/31 12:03:45 | 000,000,000 | ---D | M]

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.270.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U27 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011/10/16 20:56:29 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-854245398-2147138339-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-2147138339-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854245398-2147138339-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-854245398-2147138339-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-854245398-2147138339-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 124.106.5.2 124.106.4.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BF0802AD-390C-4C6D-AD80-5C7EBDAD2031}: DhcpNameServer = 124.106.5.2 124.106.4.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/29 20:28:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/10/17 09:43:22 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\PC\Desktop\aswMBR.exe
[2011/10/17 09:41:06 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
[2011/10/16 21:13:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/10/16 21:13:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Start Menu\Programs\HiJackThis
[2011/10/16 20:33:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/16 20:30:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/16 20:30:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/16 20:30:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/16 20:30:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/16 20:27:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/10/16 20:27:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/16 20:27:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\PC\My Documents\My Videos
[2011/10/16 20:27:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\PC\Start Menu\Programs\Administrative Tools
[2011/10/16 20:24:24 | 004,261,887 | R--- | C] (Swearware) -- C:\Documents and Settings\PC\Desktop\ComboFix.exe
[2011/10/16 19:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/10/16 19:30:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/10/16 19:30:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/10/16 19:22:21 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/10/16 18:01:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2011/10/16 17:48:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/10/16 16:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Foxit Software
[2011/10/16 16:08:17 | 012,557,104 | ---- | C] (Foxit Corporation ) -- C:\Documents and Settings\PC\Desktop\FoxitReader502.0718_enu_Setup.exe
[2011/10/16 02:41:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Desktop\Process Explorer
[2011/10/16 02:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\WinRAR
[2011/10/16 02:28:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/16 02:14:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/10/16 01:56:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\DAEMON Tools Pro
[2011/10/16 01:54:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/10/16 01:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\uTorrent
[2011/10/16 01:54:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Real
[2011/10/16 01:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Macromedia
[2011/10/16 01:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Adobe
[2011/10/16 01:30:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\PC\Recent
[2011/10/14 15:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\PCHealth
[2011/10/01 22:32:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2011/09/30 19:08:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\ESET
[2011/09/28 09:19:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\Temp
[2011/09/28 09:19:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\Adobe
[2011/09/28 00:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/09/27 23:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\My Documents\DragonNest
[2011/09/27 23:09:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cherry De Games
[2011/09/27 17:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/09/22 15:11:02 | 004,125,176 | ---- | C] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des
[2011/09/22 15:10:23 | 000,004,682 | ---- | C] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\npptNT2.sys
[2011/09/22 15:10:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[2011/09/18 16:01:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/09/18 16:01:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2011/09/18 16:01:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/09/18 13:57:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\Documents and Settings\PC\Application Data\*.tmp files -> C:\Documents and Settings\PC\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/17 09:42:56 | 001,879,208 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\aswMBR.zip
[2011/10/17 09:40:56 | 000,578,442 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\OTL.zip
[2011/10/17 09:37:29 | 000,073,543 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/17 09:37:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/17 09:27:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003UA.job
[2011/10/16 21:17:00 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\HiJackThis.lnk
[2011/10/16 20:56:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/16 20:33:29 | 000,000,367 | RHS- | M] () -- C:\boot.ini
[2011/10/16 20:29:42 | 004,261,887 | R--- | M] (Swearware) -- C:\Documents and Settings\PC\Desktop\ComboFix.exe
[2011/10/16 20:02:13 | 000,000,257 | ---- | M] () -- C:\Boot.bak
[2011/10/16 19:23:25 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/10/16 18:00:55 | 000,555,106 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/10/16 17:48:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/16 17:27:45 | 000,000,914 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003Core.job
[2011/10/16 16:13:11 | 012,557,104 | ---- | M] (Foxit Corporation ) -- C:\Documents and Settings\PC\Desktop\FoxitReader502.0718_enu_Setup.exe
[2011/10/16 15:15:58 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\PC\Desktop\aswMBR.exe
[2011/10/16 14:36:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
[2011/10/16 12:52:44 | 000,051,186 | ---- | M] () -- C:\Documents and Settings\PC\Application Data\room_v3.dat
[2011/10/16 01:54:58 | 000,122,880 | ---- | M] () -- C:\cnon32.exe
[2011/10/16 01:53:02 | 000,016,962 | ---- | M] () -- C:\cnm32.exe
[2011/10/14 20:57:30 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/10 12:54:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/05 02:09:50 | 000,002,239 | ---- | M] () -- C:\Documents and Settings\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/10/05 02:09:49 | 000,002,261 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\Google Chrome.lnk
[2011/09/30 22:25:55 | 000,002,205 | ---- | M] () -- C:\Documents and Settings\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2011/09/27 23:09:48 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon Nest.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\Documents and Settings\PC\Application Data\*.tmp files -> C:\Documents and Settings\PC\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/17 09:41:47 | 001,879,208 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\aswMBR.zip
[2011/10/17 09:40:28 | 000,578,442 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\OTL.zip
[2011/10/16 21:13:58 | 000,002,441 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\HiJackThis.lnk
[2011/10/16 20:33:29 | 000,000,257 | ---- | C] () -- C:\Boot.bak
[2011/10/16 20:33:24 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/16 20:30:21 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/16 20:30:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/16 20:30:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/16 20:30:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/16 20:30:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/16 17:55:55 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/10/16 06:55:35 | 000,051,186 | ---- | C] () -- C:\Documents and Settings\PC\Application Data\room_v3.dat
[2011/10/16 02:29:56 | 000,555,106 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/10/15 22:38:48 | 000,122,880 | ---- | C] () -- C:\cnon32.exe
[2011/10/15 22:38:42 | 000,016,962 | ---- | C] () -- C:\cnm32.exe
[2011/09/27 23:09:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dragon Nest.lnk
[2011/09/22 15:10:22 | 000,005,174 | ---- | C] () -- C:\WINDOWS\System32\nppt9x.vxd
[2011/09/09 10:42:18 | 000,060,701 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2011/08/30 16:53:05 | 000,013,205 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011/08/29 21:00:45 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/29 20:54:52 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/08/29 20:39:29 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2011/08/29 20:39:12 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2011/08/29 20:31:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/08/29 20:25:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/08/29 13:20:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/29 13:17:16 | 000,295,664 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/07/12 22:19:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/12 22:19:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/07/12 22:19:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/12 22:19:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/07/12 22:19:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/12 22:19:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/12 22:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/12 22:19:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/07/12 22:19:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/07/12 22:19:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/12 22:19:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/08/04 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,405,012 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,054,356 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/09/09 02:19:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2011/08/31 12:03:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/10/16 19:30:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/16 01:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\DAEMON Tools Pro
[2011/10/16 16:15:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\Foxit Software
[2011/10/16 01:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\uTorrent

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2011/10/16 01:53:02 | 000,016,962 | ---- | M] () -- C:\cnm32.exe
[2011/10/16 01:54:58 | 000,122,880 | ---- | M] () -- C:\cnon32.exe

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< C:\Windows\assembly\tmp\U /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 245 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

< End of report >

Extras.txt

OTL Extras logfile created on: 10/17/2011 9:43:29 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\PC\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.29 Mb Total Physical Memory | 384.70 Mb Available Physical Memory | 50.14% Memory free
1.83 Gb Paging File | 1.52 Gb Available in Paging File | 82.94% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 4.94 Gb Free Space | 25.29% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 10.61 Gb Free Space | 59.80% Space Free | Partition Type: NTFS

Computer Name: PC-E733664EE655 | User Name: PC | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-854245398-2147138339-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Garena Classic\Garena.exe" = C:\Program Files\Garena Classic\Garena.exe:*:Enabled:Garena -- (Garena Online PTE LTD)
"D:\Games\CherryDeGames\Dragon Nest\DragonNest.exe" = D:\Games\CherryDeGames\Dragon Nest\DragonNest.exe:*:Enabled:Dragon Nest -- ()
"D:\Games\DOTA\Warcraft III\Warcraft III.exe" = D:\Games\DOTA\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Attansic Giga Ethernet Utility
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3566D7DB-EA10-49DE-A95B-F4AB41FC0A93}" = Dragon Nest SEA
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.5.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{471159EB-BECC-453C-B6F2-FE4FAB29B3F3}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00B0-0409-0000-0000000FF1CE}" = Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A66242A1-9101-425D-9BE5-D19A50E1D0D8}" = ESET NOD32 Antivirus
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AtcL1" = Attansic L1 Gigabit Ethernet Driver
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-09-21 16:18
"DAEMON Tools Pro" = DAEMON Tools Pro
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader_is1" = Foxit Reader 5.0
"Garena Classic 2011" = Garena Classic 2011
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"TreeSize Free_is1" = TreeSize Free V2.5
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-854245398-2147138339-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/16/2011 10:38:40 AM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 10/16/2011 10:52:56 AM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module acgenral.dll, version 5.1.2600.5512, fault address 0x000116e2.

Error - 10/16/2011 11:27:54 AM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module acgenral.dll, version 5.1.2600.5512, fault address 0x000116e2.

Error - 10/16/2011 12:21:56 PM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x007c6a55.

Error - 10/16/2011 12:23:40 PM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ws2help.dll, version 5.1.2600.5512, fault address 0x00006a55.

Error - 10/16/2011 3:51:12 PM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application war3.exe, version 1.26.0.6401, faulting module
unknown, version 0.0.0.0, fault address 0x6d9ab32f.

Error - 10/16/2011 4:00:56 PM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application ekrn.exe, version 4.2.71.2, faulting module ntdll.dll,
version 5.1.2600.5512, fault address 0x0001b1fa.

Error - 10/16/2011 4:01:22 PM | Computer Name = PC-E733664EE655 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 14.0.835.202, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x0002385f.

Error - 10/16/2011 8:54:27 PM | Computer Name = PC-E733664EE655 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 10/16/2011 10:30:13 PM | Computer Name = PC-E733664EE655 | Source = pctsSvc.exe | ID = 0
Description =

[ OSession Events ]
Error - 10/14/2011 12:31:15 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3903
seconds with 2520 seconds of active time. This session ended with a crash.

Error - 10/14/2011 3:10:24 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 9520
seconds with 4800 seconds of active time. This session ended with a crash.

Error - 10/14/2011 3:34:42 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1441
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 10/14/2011 4:58:48 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 5038
seconds with 4140 seconds of active time. This session ended with a crash.

Error - 10/14/2011 4:59:59 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 38
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/14/2011 5:23:06 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1382
seconds with 960 seconds of active time. This session ended with a crash.

Error - 10/14/2011 6:07:50 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2666
seconds with 2040 seconds of active time. This session ended with a crash.

Error - 10/14/2011 6:53:08 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2525
seconds with 1740 seconds of active time. This session ended with a crash.

Error - 10/14/2011 6:53:56 PM | Computer Name = PC-E733664EE655 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 29
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10/16/2011 12:23:19 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7034
Description = The PC Tools Auxiliary Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 10/16/2011 4:01:11 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 6:44:56 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 7:07:44 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 7:50:39 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 7:53:30 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 7:55:12 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 9:49:32 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7031
Description = The ESET Service service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
the service.

Error - 10/16/2011 10:00:29 PM | Computer Name = PC-E733664EE655 | Source = Service Control Manager | ID = 7034
Description = The PC Tools Security Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 10/16/2011 11:41:32 PM | Computer Name = PC-E733664EE655 | Source = Dhcp | ID = 1002
Description = The IP address lease 112.201.227.5 for the Network Card with network
address 001BFC0145F9 has been denied by the DHCP server 112.201.128.1 (The DHCP
Server sent a DHCPNACK message).

< End of report >

aswMBR.txt

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-17 09:47:46
-----------------------------
09:47:46.109 OS Version: Windows 5.1.2600 Service Pack 3
09:47:46.109 Number of processors: 2 586 0x6B01
09:47:46.109 ComputerName: PC-E733664EE655 UserName: PC
09:47:47.250 Initialize success
09:48:06.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
09:48:06.093 Disk 0 Vendor: ST340015A 3.01 Size: 38166MB BusType: 3
09:48:08.140 Disk 0 MBR read successfully
09:48:08.140 Disk 0 MBR scan
09:48:08.140 Disk 0 Windows XP default MBR code
09:48:08.140 Disk 0 scanning sectors +78156225
09:48:08.218 Disk 0 scanning C:\WINDOWS\system32\drivers
09:48:18.718 Service scanning
09:48:19.796 Modules scanning
09:48:36.984 Disk 0 trace - called modules:
09:48:37.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:48:37.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fa2ab8]
09:48:37.000 3 CLASSPNP.SYS[f74a7fd7] -> nt!IofCallDriver -> \Device\00000061[0x8304ef18]
09:48:37.000 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x83013940]
09:48:37.031 Scan finished successfully
09:49:00.843 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PC\Desktop\MBR.dat"
09:49:00.843 The log file has been saved successfully to "C:\Documents and Settings\PC\Desktop\aswMBR.txt"

#5
Essexboy

Posted 17 October 2011 - 11:18 AM

GeekU Moderator

Retired Staff
69,964 posts

Could you post the combofix log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKU\S-1-5-21-854245398-2147138339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.1.103.200:7080
[2011/10/16 01:54:58 | 000,122,880 | ---- | M] () -- C:\cnon32.exe
[2011/10/16 01:53:02 | 000,016,962 | ---- | M] () -- C:\cnm32.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#6
tor666

Posted 19 October 2011 - 10:34 AM

Member

Topic Starter
Member
11 posts

Combofix log:

ComboFix 11-10-19.04 - PC 10/19/2011 23:58:57.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.377 [GMT -7:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\PC\Application Data\10.tmp
c:\documents and settings\PC\Application Data\11.tmp
c:\documents and settings\PC\Application Data\116.tmp
c:\documents and settings\PC\Application Data\117.tmp
c:\documents and settings\PC\Application Data\11D.tmp
c:\documents and settings\PC\Application Data\12.tmp
c:\documents and settings\PC\Application Data\146.tmp
c:\documents and settings\PC\Application Data\147.tmp
c:\documents and settings\PC\Application Data\148.tmp
c:\documents and settings\PC\Application Data\17E.tmp
c:\documents and settings\PC\Application Data\17F.tmp
c:\documents and settings\PC\Application Data\180.tmp
c:\documents and settings\PC\Application Data\1B.tmp
c:\documents and settings\PC\Application Data\1C.tmp
c:\documents and settings\PC\Application Data\1D.tmp
c:\documents and settings\PC\Application Data\1E.tmp
c:\documents and settings\PC\Application Data\28.tmp
c:\documents and settings\PC\Application Data\29.tmp
c:\documents and settings\PC\Application Data\2A.tmp
c:\documents and settings\PC\Application Data\2B0.tmp
c:\documents and settings\PC\Application Data\2BD.tmp
c:\documents and settings\PC\Application Data\2BE.tmp
c:\documents and settings\PC\Application Data\2BF.tmp
c:\documents and settings\PC\Application Data\310.tmp
c:\documents and settings\PC\Application Data\311.tmp
c:\documents and settings\PC\Application Data\312.tmp
c:\documents and settings\PC\Application Data\8F.tmp
c:\documents and settings\PC\Application Data\9.tmp
c:\documents and settings\PC\Application Data\90.tmp
c:\documents and settings\PC\Application Data\91.tmp
c:\documents and settings\PC\Application Data\A.tmp
c:\documents and settings\PC\Application Data\A6.tmp
c:\documents and settings\PC\Application Data\B.tmp
c:\documents and settings\PC\Application Data\C.tmp
c:\documents and settings\PC\Application Data\D.tmp
c:\documents and settings\PC\Application Data\D4.tmp
c:\documents and settings\PC\Application Data\E.tmp
c:\documents and settings\PC\Application Data\E9.tmp
c:\documents and settings\PC\Application Data\F.tmp
c:\documents and settings\PC\Application Data\F0.tmp
c:\documents and settings\PC\blal.exe
c:\windows\aadrive32.exe
c:\windows\system32\07.exe
c:\windows\system32\20.exe
c:\windows\system32\30.exe
c:\windows\system32\43.exe
c:\windows\system32\75.exe
c:\windows\system32\x.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_VMWARESERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-18 16:46 . 2011-10-18 16:46 142848 ------w- c:\windows\system32\igfxctv32.exe
2011-10-17 04:14 . 2011-10-17 04:14 388096 ----a-r- c:\documents and settings\PC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-17 04:13 . 2011-10-17 04:13 -------- d-----w- c:\program files\Trend Micro
2011-10-17 02:30 . 2011-10-17 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-17 02:30 . 2011-10-17 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-17 02:22 . 2011-10-17 02:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-17 01:34 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-16 23:15 . 2011-10-16 23:15 -------- d-----w- c:\documents and settings\PC\Application Data\Foxit Software
2011-10-16 09:28 . 2011-10-17 02:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-16 09:14 . 2011-10-17 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-10-16 08:56 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\DAEMON Tools Pro
2011-10-16 08:54 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\uTorrent
2011-10-16 05:38 . 2011-10-16 08:54 122880 ----a-w- C:\cnon32.exe
2011-10-16 05:38 . 2011-10-16 08:53 16962 ----a-w- C:\cnm32.exe
2011-10-14 22:08 . 2011-10-14 22:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
2011-10-02 05:32 . 2011-10-02 05:32 -------- d-----w- c:\program files\MSECache
2011-10-01 02:08 . 2011-10-01 02:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ESET
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Temp
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Adobe
2011-09-28 07:46 . 2011-09-28 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-09-28 00:27 . 2011-09-28 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-22 22:11 . 2011-07-10 21:30 4125176 ----a-w- c:\windows\system32\GameMon.des
2011-09-22 22:10 . 2005-01-04 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-09-22 22:10 . 2003-07-20 18:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-09-22 22:10 . 2011-09-22 22:10 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-09-22 22:09 . 2011-09-22 22:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-20 07:08 . 2011-10-20 07:08 2330 ----a-w- c:\documents and settings\PC\Application Data\15.tmp
2011-10-20 07:08 . 2011-10-20 07:08 2330 ----a-w- c:\documents and settings\PC\Application Data\14.tmp
2011-10-20 07:08 . 2011-10-20 07:08 2330 ----a-w- c:\documents and settings\PC\Application Data\13.tmp
2011-09-09 17:54 . 2011-09-09 17:42 2829 ----a-w- c:\windows\War3Unin.pif
2011-09-09 17:54 . 2011-09-09 17:42 139264 ----a-w- c:\windows\War3Unin.exe
2011-09-09 17:30 . 2011-09-09 17:30 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-09-01 03:31 . 2011-09-01 03:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-01 03:31 . 2011-09-01 03:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 23:20 . 2011-08-30 03:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-08-30 23:20 . 2011-08-30 03:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-30 03:52 . 2011-08-30 03:52 315392 ----a-w- c:\windows\HideWin.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-17_03.39.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-20 07:06 . 2011-10-20 07:06 16384 c:\windows\temp\Perflib_Perfdata_1b8.dat
+ 2011-10-17 04:13 . 2011-10-17 04:13 1094656 c:\windows\Installer\19b60b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-06-29 137216]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-08-30 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Intel Graphics Controller"="c:\windows\system32\igfxctv32.exe" [2011-10-18 142848]
.
[HKLM\~\startupfolder\C:^Documents and Settings^PC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\PC\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2011-08-17 07:29 4527424 ----a-w- c:\program files\DAEMON Tools Pro\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Garena Classic\\Garena.exe"=
"d:\\Games\\CherryDeGames\\Dragon Nest\\DragonNest.exe"=
"d:\\Games\\DOTA\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\igfxctv32.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [9/9/2011 10:30 AM 232512]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 1:47 PM 94872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 4:41 PM 810144]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [8/29/2011 8:55 PM 38656]
S1 prhbmtzx;prhbmtzx;\??\c:\windows\system32\drivers\prhbmtzx.sys --> c:\windows\system32\drivers\prhbmtzx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena Classic\safedrv.sys --> c:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/31/2011 12:29 PM 27064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003Core.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003UA.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.1.103.200:7080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.7.2 124.106.6.2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 00:06
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
c:\windows\system32\igfxctv32.exe [1808] 0x82566918
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Fxjmjr = c:\documents and settings\PC\Application Data\Fxjmjr.exe
Lzjmjx = c:\documents and settings\PC\Application Data\Lzjmjx.exe
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(260)
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\PC\LOCALS~1\Temp\tmp46.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2011-10-20 00:11:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 07:11
ComboFix2.txt 2011-10-18 10:26
ComboFix3.txt 2011-10-17 03:58
ComboFix4.txt 2011-10-17 03:42
.
Pre-Run: 5,117,169,664 bytes free
Post-Run: 5,013,803,008 bytes free
.
- - End Of File - - FB8C9338348A36CF18BCAF1905991D6C

Run fix log:

All processes killed
========== OTL ==========
HKU\S-1-5-21-854245398-2147138339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\cnon32.exe moved successfully.
C:\cnm32.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\PC\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\PC\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: PC
->Temp folder emptied: 168624 bytes
->Temporary Internet Files folder emptied: 4385823 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 58320949 bytes
->Flash cache emptied: 38113 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 62.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: PC
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 10202011_002118

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

OTL.txt/ OTL log:

OTL logfile created on: 10/20/2011 12:32:38 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\PC\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

767.29 Mb Total Physical Memory | 283.33 Mb Available Physical Memory | 36.93% Memory free
1.83 Gb Paging File | 1.37 Gb Available in Paging File | 74.74% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 4.72 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 10.82 Gb Free Space | 60.99% Space Free | Partition Type: NTFS

Computer Name: PC-E733664EE655 | User Name: PC | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/16 14:36:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
PRC - [2011/09/30 08:12:41 | 001,030,200 | ---- | M] (Google Inc.) -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/08/30 16:20:42 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2011/01/12 16:41:24 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/06/28 17:39:56 | 000,137,216 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvraidservice.exe

========== Modules (No Company Name) ==========

MOD - [2011/09/30 08:12:40 | 000,412,728 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\ppgooglenaclpluginchrome.dll
MOD - [2011/09/30 08:12:39 | 003,696,184 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\pdf.dll
MOD - [2011/09/30 08:11:39 | 000,309,304 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\Locales\en-US.dll
MOD - [2011/09/30 08:11:13 | 000,142,568 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avutil-51.dll
MOD - [2011/09/30 08:11:12 | 000,253,320 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avformat-53.dll
MOD - [2011/09/30 08:11:10 | 002,403,240 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avcodec-53.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/07/10 14:30:00 | 004,125,176 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2011/01/12 16:44:02 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011/01/12 16:41:42 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

========== Driver Services (SafeList) ==========

DRV - [2011/09/09 10:30:48 | 000,232,512 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2010/12/21 15:04:06 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2010/12/21 15:04:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/12/21 13:47:38 | 000,094,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/12/30 11:20:56 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)
DRV - [2007/01/30 03:57:50 | 004,474,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/24 00:39:12 | 000,038,656 | R--- | M] (Attansic Technology corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atl01_xp.sys -- (AtcL001)
DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/29 02:38:56 | 000,105,088 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/02/02 16:08:46 | 000,021,442 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- D:\Games\Ragnarok Online\npkcrypt.sys -- (npkcrypt)
DRV - [2004/08/12 19:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.46: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2011/08/30 16:21:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2011/08/31 12:03:45 | 000,000,000 | ---D | M]

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.270.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U27 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\PC\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011/10/20 00:21:22 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Intel Graphics Controller] C:\WINDOWS\system32\igfxctv32.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 124.106.7.2 124.106.6.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BF0802AD-390C-4C6D-AD80-5C7EBDAD2031}: DhcpNameServer = 124.106.7.2 124.106.6.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/29 20:28:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/20 00:21:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/10/20 00:21:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/20 00:04:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/10/19 13:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Sun
[2011/10/17 09:43:22 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\PC\Desktop\aswMBR.exe
[2011/10/17 09:41:06 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
[2011/10/16 21:13:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/10/16 21:13:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Start Menu\Programs\HiJackThis
[2011/10/16 20:33:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/16 20:30:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/16 20:30:21 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/16 20:30:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/16 20:30:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/16 20:27:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/10/16 20:27:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/16 20:27:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\PC\My Documents\My Videos
[2011/10/16 20:27:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\PC\Start Menu\Programs\Administrative Tools
[2011/10/16 20:24:24 | 004,265,814 | R--- | C] (Swearware) -- C:\Documents and Settings\PC\Desktop\ComboFix.exe
[2011/10/16 19:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/10/16 19:30:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/10/16 19:30:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/10/16 19:22:21 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/10/16 18:01:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2011/10/16 17:48:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/10/16 16:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Foxit Software
[2011/10/16 16:08:17 | 012,557,104 | ---- | C] (Foxit Corporation ) -- C:\Documents and Settings\PC\Desktop\FoxitReader502.0718_enu_Setup.exe
[2011/10/16 02:41:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Desktop\Process Explorer
[2011/10/16 02:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\WinRAR
[2011/10/16 02:28:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/16 02:14:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/10/16 01:56:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\DAEMON Tools Pro
[2011/10/16 01:54:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/10/16 01:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\uTorrent
[2011/10/16 01:54:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Real
[2011/10/16 01:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Macromedia
[2011/10/16 01:49:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Application Data\Adobe
[2011/10/16 01:30:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\PC\Recent
[2011/10/14 15:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\PCHealth
[2011/10/01 22:32:17 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2011/09/30 19:08:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\ESET
[2011/09/28 09:19:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\Temp
[2011/09/28 09:19:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\Local Settings\Application Data\Adobe
[2011/09/28 00:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/09/27 23:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PC\My Documents\DragonNest
[2011/09/27 23:09:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cherry De Games
[2011/09/27 17:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/09/22 15:11:02 | 004,125,176 | ---- | C] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des
[2011/09/22 15:10:23 | 000,004,682 | ---- | C] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\npptNT2.sys
[2011/09/22 15:10:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[12 C:\Documents and Settings\PC\Application Data\*.tmp files -> C:\Documents and Settings\PC\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/20 00:27:01 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003UA.job
[2011/10/20 00:26:13 | 000,073,543 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/20 00:26:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/20 00:21:22 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/10/19 23:56:25 | 004,265,814 | R--- | M] (Swearware) -- C:\Documents and Settings\PC\Desktop\ComboFix.exe
[2011/10/19 13:19:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/18 09:46:36 | 000,142,848 | ---- | M] () -- C:\WINDOWS\System32\igfxctv32.exe
[2011/10/18 03:24:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20111018-114217.backup
[2011/10/17 17:27:01 | 000,000,914 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003Core.job
[2011/10/17 12:54:28 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/17 09:49:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\MBR.dat
[2011/10/17 09:42:56 | 001,879,208 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\aswMBR.zip
[2011/10/17 09:40:56 | 000,578,442 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\OTL.zip
[2011/10/16 21:17:00 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\HiJackThis.lnk
[2011/10/16 20:33:29 | 000,000,367 | RHS- | M] () -- C:\boot.ini
[2011/10/16 20:02:13 | 000,000,257 | ---- | M] () -- C:\Boot.bak
[2011/10/16 19:23:25 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/10/16 18:00:55 | 000,555,106 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/10/16 16:13:11 | 012,557,104 | ---- | M] (Foxit Corporation ) -- C:\Documents and Settings\PC\Desktop\FoxitReader502.0718_enu_Setup.exe
[2011/10/16 15:15:58 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\PC\Desktop\aswMBR.exe
[2011/10/16 14:36:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PC\Desktop\OTL.exe
[2011/10/14 20:57:30 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/05 02:09:50 | 000,002,239 | ---- | M] () -- C:\Documents and Settings\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/10/05 02:09:49 | 000,002,261 | ---- | M] () -- C:\Documents and Settings\PC\Desktop\Google Chrome.lnk
[2011/09/30 22:25:55 | 000,002,205 | ---- | M] () -- C:\Documents and Settings\PC\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2011/09/27 23:09:48 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dragon Nest.lnk
[12 C:\Documents and Settings\PC\Application Data\*.tmp files -> C:\Documents and Settings\PC\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/18 09:46:50 | 000,142,848 | ---- | C] () -- C:\WINDOWS\System32\igfxctv32.exe
[2011/10/17 09:49:00 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\MBR.dat
[2011/10/17 09:41:47 | 001,879,208 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\aswMBR.zip
[2011/10/17 09:40:28 | 000,578,442 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\OTL.zip
[2011/10/16 21:13:58 | 000,002,441 | ---- | C] () -- C:\Documents and Settings\PC\Desktop\HiJackThis.lnk
[2011/10/16 20:33:29 | 000,000,257 | ---- | C] () -- C:\Boot.bak
[2011/10/16 20:33:24 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/16 20:30:21 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/16 20:30:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/16 20:30:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/16 20:30:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/16 20:30:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/16 17:55:55 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/10/16 02:29:56 | 000,555,106 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/09/27 23:09:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dragon Nest.lnk
[2011/09/22 15:10:22 | 000,005,174 | ---- | C] () -- C:\WINDOWS\System32\nppt9x.vxd
[2011/09/09 10:42:18 | 000,060,701 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2011/08/30 16:53:05 | 000,013,205 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011/08/29 21:00:45 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/29 20:54:52 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/08/29 20:39:29 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2011/08/29 20:39:12 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2011/08/29 20:31:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/08/29 20:25:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/08/29 13:20:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/29 13:17:16 | 000,295,664 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/07/12 22:19:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/12 22:19:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/07/12 22:19:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/12 22:19:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/07/12 22:19:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/12 22:19:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/12 22:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/12 22:19:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/07/12 22:19:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/07/12 22:19:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/12 22:19:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/08/04 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,405,012 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,054,356 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/09/09 02:19:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2011/08/31 12:03:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/10/16 19:30:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/16 01:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\DAEMON Tools Pro
[2011/10/16 16:15:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\Foxit Software
[2011/10/16 01:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\PC\Application Data\uTorrent

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 245 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

< End of report >

#7
Essexboy

Posted 19 October 2011 - 11:03 AM

GeekU Moderator

Retired Staff
69,964 posts

Could you re-run combofix please, allowing it to update if requested. As there is a file I would like to take a further look at

#8
tor666

Posted 19 October 2011 - 12:26 PM

Member

Topic Starter
Member
11 posts

ComboFix 11-10-19.04 - PC 10/20/2011 2:20.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.555 [GMT -7:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\PC\Application Data\13.tmp
c:\documents and settings\PC\Application Data\14.tmp
c:\documents and settings\PC\Application Data\15.tmp
c:\documents and settings\PC\Application Data\16.tmp
c:\documents and settings\PC\Application Data\18.tmp
c:\documents and settings\PC\Application Data\19.tmp
c:\documents and settings\PC\Application Data\1E.tmp
c:\documents and settings\PC\Application Data\2E.tmp
c:\documents and settings\PC\Application Data\31.tmp
c:\documents and settings\PC\Application Data\32.tmp
c:\documents and settings\PC\Application Data\B.tmp
c:\documents and settings\PC\Application Data\BB4.tmp
c:\documents and settings\PC\Application Data\BB5.tmp
c:\documents and settings\PC\Application Data\BB9.tmp
c:\documents and settings\PC\Application Data\BC2.tmp
c:\documents and settings\PC\Application Data\E.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-20 07:21 . 2011-10-20 07:21 -------- d-----w- C:\_OTL
2011-10-18 16:46 . 2011-10-18 16:46 142848 ------w- c:\windows\system32\igfxctv32.exe
2011-10-17 04:14 . 2011-10-17 04:14 388096 ----a-r- c:\documents and settings\PC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-17 04:13 . 2011-10-17 04:13 -------- d-----w- c:\program files\Trend Micro
2011-10-17 02:30 . 2011-10-17 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-17 02:30 . 2011-10-17 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-17 02:22 . 2011-10-17 02:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-17 01:34 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-16 23:15 . 2011-10-16 23:15 -------- d-----w- c:\documents and settings\PC\Application Data\Foxit Software
2011-10-16 09:28 . 2011-10-17 02:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-16 09:14 . 2011-10-17 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-10-16 08:56 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\DAEMON Tools Pro
2011-10-16 08:54 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\uTorrent
2011-10-14 22:08 . 2011-10-14 22:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
2011-10-02 05:32 . 2011-10-02 05:32 -------- d-----w- c:\program files\MSECache
2011-10-01 02:08 . 2011-10-01 02:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ESET
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Temp
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Adobe
2011-09-28 07:46 . 2011-09-28 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-09-28 00:27 . 2011-09-28 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-22 22:11 . 2011-07-10 21:30 4125176 ----a-w- c:\windows\system32\GameMon.des
2011-09-22 22:10 . 2005-01-04 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-09-22 22:10 . 2003-07-20 18:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-09-22 22:10 . 2011-09-22 22:10 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-09-22 22:09 . 2011-09-22 22:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 17:54 . 2011-09-09 17:42 2829 ----a-w- c:\windows\War3Unin.pif
2011-09-09 17:54 . 2011-09-09 17:42 139264 ----a-w- c:\windows\War3Unin.exe
2011-09-09 17:30 . 2011-09-09 17:30 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-09-01 03:31 . 2011-09-01 03:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-01 03:31 . 2011-09-01 03:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 23:20 . 2011-08-30 03:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-08-30 23:20 . 2011-08-30 03:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-30 03:52 . 2011-08-30 03:52 315392 ----a-w- c:\windows\HideWin.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-17_03.39.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-20 07:26 . 2011-10-20 07:26 16384 c:\windows\temp\Perflib_Perfdata_2c4.dat
+ 2011-10-17 04:13 . 2011-10-17 04:13 1094656 c:\windows\Installer\19b60b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-06-29 137216]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-08-30 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Intel Graphics Controller"="c:\windows\system32\igfxctv32.exe" [2011-10-18 142848]
.
[HKLM\~\startupfolder\C:^Documents and Settings^PC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\PC\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2011-08-17 07:29 4527424 ----a-w- c:\program files\DAEMON Tools Pro\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Garena Classic\\Garena.exe"=
"d:\\Games\\CherryDeGames\\Dragon Nest\\DragonNest.exe"=
"d:\\Games\\DOTA\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\igfxctv32.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [9/9/2011 10:30 AM 232512]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 1:47 PM 94872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 4:41 PM 810144]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [8/29/2011 8:55 PM 38656]
S1 prhbmtzx;prhbmtzx;\??\c:\windows\system32\drivers\prhbmtzx.sys --> c:\windows\system32\drivers\prhbmtzx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena Classic\safedrv.sys --> c:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/31/2011 12:29 PM 27064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003Core.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003UA.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.7.2 124.106.6.2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 02:26
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
c:\windows\system32\igfxctv32.exe [408] 0x82C31380
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Fxjmjr = c:\documents and settings\PC\Application Data\Fxjmjr.exe
Lzjmjx = c:\documents and settings\PC\Application Data\Lzjmjx.exe
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fxjmjr"="c:\\Documents and Settings\\PC\\Application Data\\Fxjmjr.exe"
"Lzjmjx"="c:\\Documents and Settings\\PC\\Application Data\\Lzjmjx.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-10-20 02:28:13
ComboFix-quarantined-files.txt 2011-10-20 09:28
ComboFix2.txt 2011-10-20 07:11
ComboFix3.txt 2011-10-18 10:26
ComboFix4.txt 2011-10-17 03:58
ComboFix5.txt 2011-10-20 09:18
.
Pre-Run: 4,962,840,576 bytes free
Post-Run: 4,951,277,568 bytes free
.
- - End Of File - - C43BF6B2B28A6F0035DC6FBA83C914F9

#9
Essexboy

Posted 19 October 2011 - 12:39 PM

GeekU Moderator

Retired Staff
69,964 posts

OK methinks I have got the driver

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\igfxctv32.exe
c:\Documents and Settings\PC\Application Data\Fxjmjr.exe
c:\Documents and Settings\PC\Application Data\Lzjmjx.exe
C:\cnon32.exe
C:\cnm32.exe
c:\windows\system32\drivers\prhbmtzx.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\igfxctv32.exe"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fxjmjr"=-
"Lzjmjx"=-

Driver::
prhbmtzx

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#10
tor666

Posted 19 October 2011 - 01:03 PM

Member

Topic Starter
Member
11 posts

after dragging the txt file to combofix icon, an error occured saying explorer.exe encountered an error and combofix updated its version. is it okay or will i redo it?

anyway here's the log:

ComboFix 11-10-19.05 - PC 10/20/2011 2:52.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.452 [GMT -7:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\PC\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
FILE ::
"C:\cnm32.exe"
"C:\cnon32.exe"
"c:\documents and settings\PC\Application Data\Fxjmjr.exe"
"c:\documents and settings\PC\Application Data\Lzjmjx.exe"
"c:\windows\system32\drivers\prhbmtzx.sys"
"c:\windows\system32\igfxctv32.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\PC\Application Data\BF2.tmp
c:\documents and settings\PC\Application Data\BF3.tmp
c:\documents and settings\PC\Application Data\BF4.tmp
c:\documents and settings\PC\Application Data\E96.tmp
c:\documents and settings\PC\Application Data\E97.tmp
c:\documents and settings\PC\Application Data\E98.tmp
c:\documents and settings\PC\Application Data\Fxjmjr.exe
c:\documents and settings\PC\Application Data\Lzjmjx.exe
c:\windows\aadrive32.exe
c:\windows\system32\igfxctv32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_prhbmtzx
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-20 07:21 . 2011-10-20 07:21 -------- d-----w- C:\_OTL
2011-10-17 04:14 . 2011-10-17 04:14 388096 ----a-r- c:\documents and settings\PC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-17 04:13 . 2011-10-17 04:13 -------- d-----w- c:\program files\Trend Micro
2011-10-17 02:30 . 2011-10-17 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-17 02:30 . 2011-10-17 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-17 02:22 . 2011-10-17 02:22 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-10-17 01:34 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-16 23:15 . 2011-10-16 23:15 -------- d-----w- c:\documents and settings\PC\Application Data\Foxit Software
2011-10-16 09:28 . 2011-10-17 02:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-10-16 09:14 . 2011-10-17 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-10-16 08:56 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\DAEMON Tools Pro
2011-10-16 08:54 . 2011-10-16 08:56 -------- d-----w- c:\documents and settings\PC\Application Data\uTorrent
2011-10-14 22:08 . 2011-10-14 22:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\PCHealth
2011-10-02 05:32 . 2011-10-02 05:32 -------- d-----w- c:\program files\MSECache
2011-10-01 02:08 . 2011-10-01 02:08 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\ESET
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Temp
2011-09-28 16:19 . 2011-09-28 16:19 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Adobe
2011-09-28 07:46 . 2011-09-28 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-09-28 00:27 . 2011-09-28 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-22 22:11 . 2011-07-10 21:30 4125176 ----a-w- c:\windows\system32\GameMon.des
2011-09-22 22:10 . 2005-01-04 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-09-22 22:10 . 2003-07-20 18:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-09-22 22:10 . 2011-09-22 22:10 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-09-22 22:09 . 2011-09-22 22:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 17:54 . 2011-09-09 17:42 2829 ----a-w- c:\windows\War3Unin.pif
2011-09-09 17:54 . 2011-09-09 17:42 139264 ----a-w- c:\windows\War3Unin.exe
2011-09-09 17:30 . 2011-09-09 17:30 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-09-01 03:31 . 2011-09-01 03:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-01 03:31 . 2011-09-01 03:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 23:20 . 2011-08-30 03:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-08-30 23:20 . 2011-08-30 03:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-08-30 03:52 . 2011-08-30 03:52 315392 ----a-w- c:\windows\HideWin.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-17_03.39.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-20 09:59 . 2011-10-20 09:59 16384 c:\windows\temp\Perflib_Perfdata_19c.dat
+ 2011-10-17 04:13 . 2011-10-17 04:13 1094656 c:\windows\Installer\19b60b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-06-29 137216]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-08-30 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKLM\~\startupfolder\C:^Documents and Settings^PC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\PC\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2011-08-17 07:29 4527424 ----a-w- c:\program files\DAEMON Tools Pro\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Garena Classic\\Garena.exe"=
"d:\\Games\\CherryDeGames\\Dragon Nest\\DragonNest.exe"=
"d:\\Games\\DOTA\\Warcraft III\\Warcraft III.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [9/9/2011 10:30 AM 232512]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 1:47 PM 94872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 4:41 PM 810144]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [8/29/2011 8:55 PM 38656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena Classic\safedrv.sys --> c:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/31/2011 12:29 PM 27064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003Core.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2147138339-839522115-1003UA.job
- c:\documents and settings\PC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-31 17:59]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.7.2 124.106.6.2
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Intel Graphics Controller - c:\windows\system32\igfxctv32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 02:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-10-20 03:03:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 10:03
ComboFix2.txt 2011-10-20 09:28
ComboFix3.txt 2011-10-20 07:11
ComboFix4.txt 2011-10-18 10:26
ComboFix5.txt 2011-10-20 09:51
.
Pre-Run: 4,935,499,776 bytes free
Post-Run: 4,922,265,600 bytes free
.
- - End Of File - - F4FB1C6F4BFBF4DD012F312838E95011

#11
Essexboy

Posted 19 October 2011 - 01:07 PM

GeekU Moderator

Retired Staff
69,964 posts

Is your AV still reporting the infection ? Can you now access antivirus sites ?

What are your current problems

#12
tor666

Posted 19 October 2011 - 01:12 PM

Member

Topic Starter
Member
11 posts

thanks man! the anti virus sites problem is solved. i haven't encountered other problem yet. sometimes it takes few minutes before eset pops up and report troubles. maybe i'll monitor the computer for a day. thanks again!

#13
Essexboy

Posted 19 October 2011 - 01:23 PM

GeekU Moderator

Retired Staff
69,964 posts

OK whilst we are waiting lets sweep for orphans

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.