Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32.zafi.b


  • Please log in to reply

#1
pyrohamster

pyrohamster

    Member

  • Member
  • PipPip
  • 10 posts
During the process you are supposed to use Hijack This to find: C:\WINDOWS\system32\ssqOFYOF.dll but that file is not on my computer even though I still have the virus. Ive even looked by hand for it. am i doing something wrong.

Here is the Hijack This log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:59 PM, on 3/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\vVX3000.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=66019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=66019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.c...spx?tb_id=66019
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=66019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: GameSpot Download Manager.lnk = C:\Users\Administrator\mods\installs\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Qwest QuickNetworking.lnk = C:\Program Files\QwestQuickNetworking\WebWorks.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10011 bytes
  • 0

Advertisements


#2
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
Welcome to G2G !!!! :)


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply with a fresh Hijackthis log too.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.



Posted Image

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click [b]dss.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • In your next reply, please attach both logs. Thanks

  • 0

#3
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok i thought malware picked up on something but it didnt show it in the log or on the results. Here are those logs you needed:

Malwarebytes' Anti-Malware 1.35
Database version: 1907
Windows 6.0.6001 Service Pack 1

3/27/2009 3:11:29 PM
mbam-log-2009-03-27 (15-11-29).txt

Scan type: Quick Scan
Objects scanned: 5053
Time elapsed: 8 hour(s), 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:46 PM, on 3/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\vVX3000.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=66019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=66019
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.c...spx?tb_id=66019
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=66019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: GameSpot Download Manager.lnk = C:\Users\Administrator\mods\installs\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Qwest QuickNetworking.lnk = C:\Program Files\QwestQuickNetworking\WebWorks.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames...ctivex/YoYo.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10543 bytes





-------------






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/26/2007 10:04:11 AM
System Uptime: 3/27/2009 7:05:47 AM (8 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7379
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | CPU 1 | 2333/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 64.084 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP750: 3/24/2009 5:59:02 PM - Scheduled Checkpoint
RP751: 3/25/2009 7:54:54 AM - Scheduled Checkpoint
RP752: 3/25/2009 5:41:05 PM - Installed BitDefender Free Edition v10
RP753: 3/26/2009 4:09:57 PM - Removed Java™ 6 Update 2
RP754: 3/26/2009 4:11:24 PM - Removed J2SE Runtime Environment 5.0 Update 12
RP755: 3/26/2009 4:13:02 PM - Removed Java™ 6 Update 7
RP756: 3/26/2009 4:14:23 PM - Removed J2SE Runtime Environment 5.0 Update 12
RP757: 3/26/2009 4:22:39 PM - Installed Java™ 6 Update 13
RP758: 3/26/2009 4:30:19 PM - Removed Java™ 6 Update 13
RP759: 3/26/2009 5:42:59 PM - Removed BitDefender Free Edition v10
RP760: 3/26/2009 6:00:56 PM - Removed Java™ 6 Update 13
RP761: 3/26/2009 6:07:28 PM - Installed Java™ 6 Update 13
RP762: 3/27/2009 9:44:25 AM - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office system
2Wire Wireless Client
3dsmax ancillary install
AC3Filter (remove only)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11
AppCore
Apple Software Update
avast! Antivirus
Backburner
Backup
Battlefield 1942
BioShock
BitTorrent
Call of Duty® - World at War™
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Canon iP1700
ccCommon
Command & Conquer 3
Command & Conquer™ 3: Kane's Wrath
Command & Conquer™ Red Alert™ 3
Counter-Strike: Source
DAEMON Tools Toolbar
Darwinia
Day of Defeat: Source
Day of Defeat: Source Beta
dBpowerAMP Music Converter
DNA
EA Download Manager
Enemy Territory: QUAKE Wars Demo 2.0
FBX Plugin 2006.08 for Max 9.0
FINAL FANTASY XI
FPS Creator
Fraps (remove only)
Garry's Mod
GearDrvs
Google Earth
Google Updater
GPGNet
GPL MPEG-1/2 DirectShow Decoder Filter
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
HijackThis 2.0.2
igLoader
Iron Grip: Warlord
Java™ 6 Update 13
Jeff Wayne's 'The War Of The Worlds'
Last.fm 1.5.1.29527
Left 4 Dead
Linksys Wireless-G USB Network Adapter
LiveUpdate (Symantec Corporation)
Logitech Desktop Messenger
Magic ISO Maker v5.5 (build 0272)
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Missing Information
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.7)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multiwinia
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Notepad++
NVIDIA Drivers
NVIDIA PhysX v8.10.13
OpenAL
Paint.NET v3.36
Peggle Extreme
Pivot Stickfigure Animator
PlayOnline Viewer & Tetra Master
Portal
Project64 1.6
PunkBuster Services
QuickTime
Qwest QuickCare
Qwest QuickNetworking
Realtek High Definition Audio Driver
RESIDENT EVIL2
Roblox
Science & Industry 1.1
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Skype™ Beta 4.0
Source SDK
Source SDK Base
Source SDK Base - Orange Box
SPBBC 32bit
SPORE™
Steam
Strider Mountain Pre-Release Moddb Version v1.1
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Synergy
System Requirements Lab
Team Fortress Classic
The Neverhood
Universe at War Earth Assault
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
VTFEdit 1.2.5
Warhammer 40,000: Dawn Of War - Platinum Edition
WinRAR archiver
Xfire (remove only)
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Search Suggest Add-on for IE7
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

3/21/2009 2:02:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
3/21/2009 2:02:27 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/21/2009 2:04:42 PM, Error: Application Popup [875] - Driver sfdrv01.sys has been blocked from loading.
3/21/2009 2:06:10 PM, Error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.
3/21/2009 2:06:10 PM, Error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the file specified.
3/21/2009 2:06:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sfdrv01
3/22/2009 1:09:08 PM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
3/25/2009 4:49:55 PM, Error: EventLog [6008] - The previous system shutdown at 4:27:34 PM on 3/25/2009 was unexpected.
3/25/2009 5:43:33 PM, Error: Service Control Manager [7030] - The BitDefender Desktop Update Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
3/25/2009 5:44:41 PM, Error: Service Control Manager [7000] - The bdfdll service failed to start due to the following error: This driver has been blocked from loading
3/25/2009 5:44:41 PM, Error: Application Popup [875] - Driver bdfdll.sys has been blocked from loading.
3/25/2009 5:44:46 PM, Error: Service Control Manager [7000] - The BDFsDrv service failed to start due to the following error: The system cannot find the file specified.
3/25/2009 5:44:49 PM, Error: Service Control Manager [7000] - The BDRsDrv service failed to start due to the following error: The system cannot find the file specified.
3/26/2009 4:07:19 PM, Error: EventLog [6008] - The previous system shutdown at 4:05:42 PM on 3/26/2009 was unexpected.
3/26/2009 4:19:28 PM, Error: EventLog [6008] - The previous system shutdown at 4:17:13 PM on 3/26/2009 was unexpected.
3/26/2009 4:27:17 PM, Error: EventLog [6008] - The previous system shutdown at 4:23:22 PM on 3/26/2009 was unexpected.
3/26/2009 10:26:36 PM, Error: Service Control Manager [7030] - The avast! Antivirus service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
3/26/2009 10:26:36 PM, Error: Service Control Manager [7030] - The avast! iAVS4 Control Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
3/26/2009 10:26:37 PM, Error: Service Control Manager [7030] - The avast! Mail Scanner service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
3/26/2009 10:26:37 PM, Error: Service Control Manager [7030] - The avast! Web Scanner service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

==== End Of File ===========================





-----------------





DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 15:20:52.64 on Fri 03/27/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1023.223 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\vVX3000.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Users\Administrator\AppData\Roaming\Google\vxpclock.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Administrator\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=66019
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=66019
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [realteks] "c:\users\administrator\appdata\roaming\google\vxpclock.exe" 2
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\gamesp~1.lnk - c:\users\administrator\mods\installs\gamespot\GameSpotDownloadManager_Win32.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\qwestq~1.lnk - c:\program files\qwestquicknetworking\WebWorks.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\rmyv4i08.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-26 114768]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090318.001\IDSvix86.sys [2009-3-23 272432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-26 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-26 51792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-2-27 46112]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-28 101936]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-03-26 22:26 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-03-26 16:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-26 15:25 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 18:14 81,984 a------- c:\windows\system32\bdod.bin
2009-03-25 17:43 <DIR> --d----- c:\program files\Softwin
2009-03-25 17:40 <DIR> --d----- c:\program files\common files\Softwin
2009-03-20 16:25 41,808 a------- c:\windows\system32\xfcodec.dll
2009-03-11 00:01 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 00:01 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 00:01 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 00:01 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 00:00 268,288 a------- c:\windows\system32\schannel.dll
2009-03-10 23:59 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-25 17:11 189,496 a------- c:\windows\system32\PnkBstrB.xtr

==================== Find3M ====================

2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-20 21:35 161,280 a------- c:\users\administrator\fmod.dll
2009-03-20 21:35 60,928 a------- c:\users\administrator\jbfmod.dll
2009-03-06 16:11 86,016 a------- c:\windows\inf\infstor.dat
2009-03-06 16:11 51,200 a------- c:\windows\inf\infpub.dat
2009-03-06 16:11 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-06 16:08 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-06 16:08 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-06 16:08 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-25 20:10 139,984 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-25 20:10 189,496 a------- c:\windows\system32\PnkBstrB.exe
2009-02-25 17:10 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-02-24 17:55 31 a------- c:\users\administrator\jagex_runescape_preferences.dat
2009-02-19 12:31 24,112 a------- c:\windows\system32\drivers\SymIMV.sys
2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-10 16:53 10,242,858 a------- c:\users\administrator\toolspack.zip
2009-01-29 19:40 1,039,000 a------- c:\users\administrator\Google_Updater.exe
2009-01-25 18:20 1,352,084 a------- c:\users\administrator\setup_magicdisc.exe
2009-01-20 01:02 81,371,648 a------- c:\users\administrator\181.20_geforce_winvista_32bit_english_whql.exe
2009-01-19 01:10 528,371,138 a------- c:\users\administrator\igwarlord111full.exe
2009-01-18 00:40 11,045,717 a------- c:\users\administrator\QuickTimeInstaller.zip
2009-01-15 00:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-29 20:38 37,126,021 a------- c:\users\administrator\decay_eng.exe
2008-12-25 10:01 22,328 a------- c:\users\admini~1\appdata\roaming\PnkBstrK.sys
2008-12-22 18:49 66,259,607 a------- c:\users\administrator\gm_atomic.zip
2008-12-09 21:25 66,760,158 a------- c:\users\administrator\WH Demo.zip
2008-11-12 17:10 846,336 a------- c:\users\administrator\pbsetup.exe
2008-11-10 19:17 4,955,128 a------- c:\users\administrator\BonusContent_BetaTester.exe
2008-11-08 19:52 72,300,734 a------- c:\users\administrator\zm_beta_120_full.exe
2008-10-31 21:54 1,813,002 a------- c:\users\administrator\Another_Day.zip
2008-10-16 14:47 7,770,798 a------- c:\users\administrator\Small Thunderchild.zip
2008-10-12 20:08 3,079,604 a------- c:\users\administrator\Setup_MagicISO.exe
2008-09-05 00:16 174 a--sh--- c:\program files\desktop.ini
2008-09-05 00:03 665,600 a------- c:\windows\inf\drvindex.dat
2007-08-03 23:17 12,507,705 a------- c:\users\administrator\R2S9.exe
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-05-27 14:36 562,160 a------- c:\users\administrator\QuickTimeInstaller.exe
2008-10-17 17:08 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-17 17:08 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-17 17:08 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:21:18.00 ===============

Edited by pyrohamster, 27 March 2009 - 03:35 PM.

  • 0

#4
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
The only thing i see wrong is your running two Anti-Virus programs. You need to either uninstall Avast or Norton 360. Are you have any other issues
  • 0

#5
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well my firewall keeps telling me i still have the virus. But I did uninstall avast (seeing as the other was not free)



Does win32.zafi.b crash the internet and the taskbar? because mine has been crashing even sense I got the virus.




Edit:

Malwarebytes picked up on a few things none of them the zafi though. I would put up the log but strangely it didn't create one

EditEdit:

I scanned again and got a log file:



Malwarebytes' Anti-Malware 1.35
Database version: 1907
Windows 6.0.6001 Service Pack 1

3/27/2009 4:12:12 PM
mbam-log-2009-03-27 (16-12-12).txt

Scan type: Quick Scan
Objects scanned: 66644
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcev8j0ejat (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Edited by pyrohamster, 27 March 2009 - 04:14 PM.

  • 0

#6
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
Can you give me the file name your firewall is giving you. i don't see any indication the worm installed fully. Thanks
  • 0

#7
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is a screenshot of the popup

and the problem im having with the internet (never happened before)

Attached Thumbnails

  • insecure_browsing.jpg
  • popup.jpg

Edited by pyrohamster, 27 March 2009 - 04:34 PM.

  • 0

#8
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
Okay lets look a bit deeper.


Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
  • Please make sure the following are checked, i need a deeper look into your system.
    Check the following
    Rootkit check
    Under Additional Scans
    App paths
    Protocol Handlers
    Protocol Filters
    Tcpip Persistant Routes
    Security Center Settings
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#9
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I tried to run it 8 or so times but it would randomly freeze and I'm not using my PC
  • 0

#10
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
Unplug your ethernet cable from the back of your computer, disable all protections programs and try again. Let me know if your still unsuccessful. You need to let it run, it may take up to 10 minutes to run.
  • 0

Advertisements


#11
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok it worked now.

Attached Files


  • 0

#12
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I dont think i have win32.zafi.B at all. I have a virus that keeps trying to sell me Perfect Defender.

Combofix log:



ComboFix 09-03-28.02 - Administrator 2009-03-28 20:42:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1023.258 [GMT -6:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\users\ADMINI~1\AppData\Roaming\Google\spxpclp32.dll
c:\users\ADMINI~1\AppData\Roaming\Google\vxpclock.exe
c:\users\Administrator\AppData\Roaming\Google\spxpclp32.dll
c:\users\Administrator\AppData\Roaming\Google\vxpclock.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-26 22:26 . 2009-03-26 22:26 <DIR> d-------- c:\program files\Alwil Software
2009-03-26 16:24 . 2009-03-26 18:08 410,984 --a------ c:\windows\System32\deploytk.dll
2009-03-26 16:23 . 2009-03-26 16:23 <DIR> d-------- c:\program files\Java
2009-03-26 15:25 . 2009-03-26 15:25 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 18:14 . 2009-03-26 17:44 81,984 --a------ c:\windows\System32\bdod.bin
2009-03-25 17:43 . 2009-03-25 17:43 <DIR> d-------- c:\program files\Softwin
2009-03-25 17:40 . 2009-03-26 17:45 <DIR> d-------- c:\program files\Common Files\Softwin
2009-03-20 16:25 . 2009-03-20 16:25 41,808 --a------ c:\windows\System32\xfcodec.dll
2009-03-11 00:01 . 2008-12-15 21:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-11 00:01 . 2008-12-15 23:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-11 00:01 . 2008-12-15 23:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-11 00:01 . 2008-12-15 23:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-11 00:00 . 2008-11-26 22:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-10 23:59 . 2009-02-08 21:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-03 18:43 . 2009-03-03 18:46 <DIR> d-------- c:\users\Administrator\AppData\Roaming\Notepad++
2009-03-03 18:43 . 2009-03-03 18:43 <DIR> d-------- c:\program files\Notepad++

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 02:50 --------- d-----w c:\users\Administrator\AppData\Roaming\DNA
2009-03-29 02:50 --------- d-----w c:\program files\Steam
2009-03-29 02:50 --------- d-----w c:\program files\DNA
2009-03-29 02:40 6,736 ----a-w c:\windows\system32\drivers\PROCEXP90.SYS
2009-03-28 21:33 --------- d-----w c:\users\Administrator\AppData\Roaming\Xfire
2009-03-28 21:15 189,496 ----a-w c:\windows\System32\PnkBstrB.exe
2009-03-28 21:11 139,984 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 17:42 --------- d-----w c:\progra~2\Google Updater
2009-03-27 22:20 --------- d-----w c:\users\Administrator\AppData\Roaming\SystemRequirementsLab
2009-03-27 22:20 --------- d-----w c:\program files\SystemRequirementsLab
2009-03-27 21:07 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 23:56 --------- d-----w c:\progra~2\Xfire
2009-03-26 22:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 22:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 12:52 --------- d-----w c:\program files\Xfire
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\DAEMON Tools
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\Command & Conquer 3 Kane's Wrath
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\BitTorrent
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\Bioshock
2009-03-23 22:49 --------- d-----w c:\users\Administrator\AppData\Roaming\Atari
2009-03-21 20:05 --------- d-----w c:\program files\Common Files\Steam
2009-03-21 04:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 03:35 60,928 ----a-w c:\users\Administrator\jbfmod.dll
2009-03-21 03:35 161,280 ----a-w c:\users\Administrator\fmod.dll
2009-03-11 09:08 --------- d-----w c:\program files\Windows Mail
2009-03-11 09:01 --------- d-----w c:\progra~2\Microsoft Help
2009-03-06 22:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-06 22:08 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-06 22:08 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-06 22:08 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-06 22:08 --------- d-----w c:\program files\Symantec
2009-02-25 23:10 75,064 ----a-w c:\windows\System32\PnkBstrA.exe
2009-02-24 23:55 31 ----a-w c:\users\Administrator\jagex_runescape_preferences.dat
2009-02-22 03:24 --------- d-----w c:\program files\CAPCOM
2009-02-19 18:31 96,560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 18:31 9,844 ----a-w c:\windows\system32\drivers\SymRedir.cat
2009-02-19 18:31 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 18:31 38,576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 18:31 24,112 ----a-w c:\windows\system32\drivers\SymIMV.sys
2009-02-19 18:31 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 18:31 184,496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 18:31 13,616 ----a-w c:\windows\system32\drivers\symdns.sys
2009-02-19 18:31 1,611 ----a-w c:\windows\system32\drivers\SymRedir.inf
2009-02-14 01:44 --------- d---a-w c:\progra~2\TEMP
2009-02-10 23:40 --------- d-----w c:\program files\IGWarlord
2009-02-10 22:53 10,242,858 ----a-w c:\users\Administrator\toolspack.zip
2009-01-30 02:34 --------- d-----w c:\program files\VTFEdit
2009-01-30 01:48 --------- d-----w c:\program files\Google
2009-01-30 01:40 1,039,000 ----a-w c:\users\Administrator\Google_Updater.exe
2009-01-28 22:08 --------- d-----w c:\program files\Pivot Stickfigure Animator
2009-01-26 00:20 1,352,084 ----a-w c:\users\Administrator\setup_magicdisc.exe
2009-01-20 07:02 81,371,648 ----a-w c:\users\Administrator\181.20_geforce_winvista_32bit_english_whql.exe
2009-01-19 07:10 528,371,138 ----a-w c:\users\Administrator\igwarlord111full.exe
2009-01-18 06:40 11,045,717 ----a-w c:\users\Administrator\QuickTimeInstaller.zip
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-12-30 02:38 37,126,021 ----a-w c:\users\Administrator\decay_eng.exe
2008-12-25 16:01 22,328 ----a-w c:\users\Administrator\AppData\Roaming\PnkBstrK.sys
2008-12-23 00:49 66,259,607 ----a-w c:\users\Administrator\gm_atomic.zip
2008-12-10 03:25 66,760,158 ----a-w c:\users\Administrator\WH Demo.zip
2008-11-12 23:10 846,336 ----a-w c:\users\Administrator\pbsetup.exe
2008-11-11 01:17 4,955,128 ----a-w c:\users\Administrator\BonusContent_BetaTester.exe
2008-11-09 01:52 72,300,734 ----a-w c:\users\Administrator\zm_beta_120_full.exe
2008-11-01 03:54 1,813,002 ----a-w c:\users\Administrator\Another_Day.zip
2008-10-16 20:47 7,770,798 ----a-w c:\users\Administrator\Small Thunderchild.zip
2008-10-13 02:08 3,079,604 ----a-w c:\users\Administrator\Setup_MagicISO.exe
2008-09-05 06:16 174 --sha-w c:\program files\desktop.ini
2007-08-04 05:17 12,507,705 ----a-w c:\users\Administrator\R2S9.exe
2003-05-27 20:36 562,160 ----a-w c:\users\Administrator\QuickTimeInstaller.exe
2008-06-30 19:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-10-17 23:08 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-17 23:08 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-17 23:08 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-09-16 13:06 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
2008-09-16 13:06 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008091620080917\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-10-07 1410296]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-13 342848]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-11-19 1851392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-18 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-26 148888]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 c:\windows\RtHDVCpl.exe]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-09-25 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{20860D14-DC2C-4CA4-82C5-AD1FC129D943}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{597005D6-BF6D-44B0-B7A2-38A162133CE9}c:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:c:\program files\thq\dawn of war\w40k.exe:W40k
"UDP Query User{8B1C646F-172B-4AF4-BD96-901AEB107758}c:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:c:\program files\thq\dawn of war\w40k.exe:W40k
"TCP Query User{38FAC374-9712-4233-9303-282F26EC72E9}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{930E650F-E29B-4B97-ACB2-BD271F250D6E}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"{9BB7B2F9-B616-4374-94A3-F63C85B054F6}"= UDP:c:\program files\Sega\Universe At War Earth Assault\UAWEA.exe:Universe at War Earth Assault
"{D5FF2E76-2B7B-4FD6-9E5C-C3C66703B337}"= TCP:c:\program files\Sega\Universe At War Earth Assault\UAWEA.exe:Universe at War Earth Assault
"{7EF5499E-ECBB-4A42-9A8C-BB7F230EB565}"= UDP:c:\program files\CrosuS\CrosuSApp.exe:Crosus
"{5CB8B318-5483-4B39-ABFD-CCFD729E6F50}"= TCP:c:\program files\CrosuS\CrosuSApp.exe:Crosus
"{8D0730E5-CE30-4C4A-BF17-5DD30A097F40}"= UDP:c:\program files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{620711DE-D2C5-4331-8E75-50DA36DFF908}"= TCP:c:\program files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{1F059821-5001-447B-9877-F1A62A2AAC6C}"= UDP:c:\program files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{B044ED87-4F7F-471C-AAAC-72606FB7D808}"= TCP:c:\program files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{7B230978-6C2C-4FE1-BD8E-AFCB607A2B61}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{00A2C99E-91F9-4270-9174-DD5DA2C0F5EC}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{28B00288-336B-4D85-900D-CECDFFDF6D56}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{C20F9A69-DE9B-42E0-A8DC-E7967D17B00F}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{3E583FD6-A052-499C-9625-7DF645DCB90C}"= UDP:c:\program files\EA Games\Battlefield 2\BF2.exe:Battlefield 2
"{59787AC8-DA91-4167-9A3B-E1DA7DB0E919}"= TCP:c:\program files\EA Games\Battlefield 2\BF2.exe:Battlefield 2
"{24C9BFE3-9013-46DD-A2BD-C1F72663C609}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C6DB7990-B3F0-4A67-A5C8-9B2E55B3F75A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1C2961D6-F9F8-406F-B4B9-D1687775DA30}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C1EC783A-788C-4EEF-A233-51D38386DF60}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{20426BEC-959E-426F-AF29-3E45A22F4702}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6867FA5E-C240-4F84-A5D8-4D2B08F2CA32}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{7CA9B625-F5A2-46F2-93FD-B273216949E4}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{AEC92C68-56CB-4D11-BF26-90CEF1DC432B}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{ACF0515F-8975-4FFE-B665-559AF991C5CF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{6DFF6625-0C86-47D4-8012-43CC92A9CE6A}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{296FC58C-C032-4594-A7E5-E77766AC92C3}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{402CA33A-07DB-4E21-A13A-0B6B23EBF5EE}"= UDP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{D1FBB807-90FA-4838-B173-D057CB0FE5E5}"= TCP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{BE66F088-DA85-4DAC-A3E7-C95D6D71CF1A}"= UDP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{C0AEA4DD-D952-43F9-87D2-6C5F1BDF59FF}"= TCP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{8787D7E9-3AA8-4723-BEBC-AEE4008A2C39}"= UDP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{DDF38F20-633E-40EE-854E-254084FA9C77}"= TCP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{0F961392-FBDA-4310-8E08-F9B7DEE926D9}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{747718F9-CA8C-40EB-9988-17D9232AA420}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{CB1E7F26-9E69-47C6-9848-12D3F261E347}"= UDP:c:\nexon\Combat Arms\NMService.exe:Nexon Messenger Core
"{6FAF6D61-4BB4-4222-A184-D36C02D9446B}"= TCP:c:\nexon\Combat Arms\NMService.exe:Nexon Messenger Core
"{A6189910-2D0D-4448-A190-9E3498FFA1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{D0E9346F-AEBB-447B-B925-C91F2FFF00F6}c:\\program files\\steam\\steamapps\\pyrohamster\\garrysmod\\hl2.exe"= UDP:c:\program files\steam\steamapps\pyrohamster\garrysmod\hl2.exe:hl2
"UDP Query User{EC0E2A0E-E96D-4FC6-A5D4-11F2EDA943B5}c:\\program files\\steam\\steamapps\\pyrohamster\\garrysmod\\hl2.exe"= TCP:c:\program files\steam\steamapps\pyrohamster\garrysmod\hl2.exe:hl2
"TCP Query User{A5D0FD54-5F36-4808-B4AC-51F219D4F312}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows
"UDP Query User{ED71EB04-07F1-478F-888D-7B01139BE80F}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows
"TCP Query User{18433A53-9AA9-4202-B659-1EFE65314ED9}c:\\program files\\steam\\steamapps\\pyrohamster\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\pyrohamster\counter-strike source\hl2.exe:hl2
"UDP Query User{D7FF76F6-CF01-4A63-B474-7D600491EBCF}c:\\program files\\steam\\steamapps\\pyrohamster\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\pyrohamster\counter-strike source\hl2.exe:hl2
"TCP Query User{7606C432-D511-4220-8CC0-AF5F10614BE6}c:\\program files\\crawler\\radio\\cradio.exe"= UDP:c:\program files\crawler\radio\cradio.exe:Radio & MP3 Player
"UDP Query User{B14DD012-DE99-409B-9A5E-FDE792F515FA}c:\\program files\\crawler\\radio\\cradio.exe"= TCP:c:\program files\crawler\radio\cradio.exe:Radio & MP3 Player
"{B6821921-2AAB-4899-9714-B734DF5C1B33}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{A077E3E7-06CF-4666-9E0B-31B2B41A0BEA}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{2775B59F-DA73-4F87-98D7-7F76AF720DE4}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{5D1AA20F-7BEB-4163-AA6D-592539A47BB4}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{D6B138D4-4178-476F-B5CC-172101BD6850}c:\\program files\\steam\\steamapps\\pyrohamster\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\pyrohamster\team fortress 2\hl2.exe:hl2
"UDP Query User{FC21C61B-98E5-4A0A-8618-14A70C2CA9FB}c:\\program files\\steam\\steamapps\\pyrohamster\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\pyrohamster\team fortress 2\hl2.exe:hl2
"{A5094BE6-204C-4DA1-9B4D-77AF68E0B7DE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{4ECD9D8F-F151-4DBC-9614-1B3D0D1EDBE0}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{30F2D4C6-E206-417C-9997-EA63ED6FFD06}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{4B16F612-AB61-476D-B692-BB4322FE9246}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{09B29F17-3457-4F9D-AE3E-6B4CF6EB203F}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{73DD5727-EDC6-4833-9A7D-5D680F1BD974}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{8120F051-AA3A-4BF8-A21B-C26741FF960C}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{2E24D153-F6FE-4C77-8119-81DE4869640A}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{90CC7C41-FE3E-4384-8B9F-368F28FDE027}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty® - World at War™
"{BEADAB4B-77B5-4A2C-ACE5-59853A21321B}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty® - World at War™
"{304DD071-44DE-40B6-9636-3F8973AD6C73}"= UDP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty® - World at War™
"{50EBD0DB-B31C-4041-B85C-AE5CEFCA4C56}"= TCP:c:\program files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty® - World at War™
"{FE33CBF0-42DE-4D3A-8897-811CC3F793FF}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{ACFBB09D-760D-412B-B6B8-15DDECC1D09B}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{7D77A6F8-8488-4E37-BD6D-DA9FC1FB3146}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{8C7909EC-FC47-4995-8F1D-78A173D24D53}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{C045859C-2AF5-4C71-A1B8-BAD272E77D12}"= UDP:c:\program files\IGWarlord\igwarlord.exe:IGWarlord
"{8E400D02-8E0F-4A34-97AA-E17CAE023AF3}"= TCP:c:\program files\IGWarlord\igwarlord.exe:IGWarlord
"{CD3ABD99-A56A-491E-A148-6BC21138E63E}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{ACEB59CC-3FCF-4A49-BC88-494A248EE5AD}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{0A3836C7-E57F-4249-950F-A47AF6A2EADB}c:\\program files\\steam\\steamapps\\pyrohamster\\team fortress classic\\hl.exe"= UDP:c:\program files\steam\steamapps\pyrohamster\team fortress classic\hl.exe:Half-Life Launcher
"UDP Query User{182302E3-0FFF-48EB-BA07-D0938F00A6B6}c:\\program files\\steam\\steamapps\\pyrohamster\\team fortress classic\\hl.exe"= TCP:c:\program files\steam\steamapps\pyrohamster\team fortress classic\hl.exe:Half-Life Launcher
"TCP Query User{325E9A20-4FBC-41E0-B85B-A184FFE8D31E}c:\\program files\\final warriors productions\\scud storm\\game.exe"= UDP:c:\program files\final warriors productions\scud storm\game.exe:Renegade
"UDP Query User{0F06DB74-B050-4860-9638-4A6BE91BD606}c:\\program files\\final warriors productions\\scud storm\\game.exe"= TCP:c:\program files\final warriors productions\scud storm\game.exe:Renegade
"{26E44ABA-C1A2-48F1-95A7-A448DC768DBE}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{DA0222C4-D388-4A79-B144-4BE23C6E6140}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{85FF2E1E-62CE-4F9F-A58C-F5B6FAD1D8DA}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{3C162D51-378F-4D62-BD52-457E15F83252}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{74691604-EE68-48B7-8DF1-D09CE9433B13}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"UDP Query User{9E494624-F461-4427-B608-3F5853728299}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager
"{ECC6563F-6967-4F64-AE2A-7ACC22D8D880}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{D290BAC4-0ADC-46FE-9DE9-EED83FF2917B}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DisabledInterfaces"= {C86C283E-E1E0-4FEE-8283-3BD9E815E5C7},{924B2E30-1B8F-415F-A1E5-25EDA06439C2}

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Nexon\\Combat Arms\\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090318.001\IDSvix86.sys [2009-03-23 272432]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2008-02-27 46112]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-28 101936]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2009-02-19 41008]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2008-01-12 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - ECACHE
*Deregistered* - sptd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b24291e-b4fc-11dd-a6f1-0018390b1a48}]
\shell\AutoRun\command - E:\SetupScreen.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fa5be0e-9c41-11dc-8acd-806e6f6e6963}]
\shell\AutoRun\command - d:\setup\rsrc\Autorun.exe
\shell\dinstall\command - d:\directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{517eca3f-eb26-11dd-a5e3-0018390b1a48}]
\shell\AutoRun\command - G:\autoexec.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c792f00e-9c41-11dc-83e7-001d9203fa23}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKCU-Run-realteks - c:\users\Administrator\AppData\Roaming\Google\vxpclock.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\rmyv4i08.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 20:50:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5368)
c:\program files\Xfire\xfire_toucan_36285.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NetworkExplorer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\System32\rundll32.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Xfire\Xfire.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-03-28 21:00:59 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-03-29 02:59:58

Pre-Run: 70,814,892,032 bytes free
Post-Run: 71,435,378,688 bytes free

340 --- E O F --- 2009-03-17 09:02:25

Edited by pyrohamster, 28 March 2009 - 11:07 PM.

  • 0

#13
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
How is everything running?
  • 0

#14
pyrohamster

pyrohamster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
After running combofix I didnt have anymore troubles.


Thanks for all your help
  • 0

#15
sjpritch25

sjpritch25

    Malware Expert

  • Member
  • PipPip
  • 79 posts
Good.

need to grab some files from combofix's quarantine. Post insructions

Edited by sjpritch25, 29 March 2009 - 06:38 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP