I recently found out I have a rustock.NKU trojan on my computer thanks to Nod32 that told me:

9/4/2009 4:13:12 PM Real-time file system protection file C:\WINDOWS\system32\dllcache\beep.sys.new a variant of Win32/Rustock.NKU trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\winlogon.exe.

After following step 1 of a guide I found on another thread similiar to this on the site this is my hijack this report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:15 PM, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Trend Micro\HijackThis\Weee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - 0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: (no name) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_S566.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-N3829.exe" /REG
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [RayV] C:\Program Files\RayV\RayV\RayV.exe /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT Startup: ikowin32.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1226637205401
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 9239 bytes

I'm going to try to follow the next step in the process by running in safe mode....will post the log after the fact if my computer returns to life...

Hi Hammosh, welcome to SAF

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - URLSearchHook: (no name) - 0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - (no file)

R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O3 - Toolbar: (no name) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)

O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-N3829.exe" /REG

O4 - .DEFAULT Startup: ikowin32.exe (User 'Default user')

O4 - Startup: ikowin32.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Set your system to show all files; see here if you're unsure how to do this.

Using Windows Explorer, locate the following files and delete them:

C:\WINDOWS\is-N3829.exe
C:\WINDOWS\system32\GameMon.des.exe

Exit Explorer, and reboot as normal afterwards.

- Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours".

- Download Malwarebytes Anti-Malware from http://www.majorgeeks.com/Malwarebyte'...ware_d5756.html to the desktop.

- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both these checked:
- Update Malwarebytes Anti-Malware
- Launch Malwarebytes Anti-Malware
- Then click Finish.

- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
- On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
- The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Copy and paste the contents of that report in your next reply along with a fresh HijackThis log and exit MBAM.

NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

Post the mbam report along with a fresh HJT log.

Chris

I used the SDFix utility the previous poster was suggested to use and this was my report if it matters:


SDFix: Version 1.240
Run by Administrator on Fri 09/04/2009 at 05:22 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\9129837.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 17:27:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Beep]
"ErrorControl"=dword:00000001
"Group"="Base"
"Start"=dword:00000001
"Tag"=dword:00000002
"Type"=dword:00000001
"kadfmmqr"=dword:00000001
"F96ZK6nPB"="YWxtYXh0cmFkaW5nLmluZm8="
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\beep]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Beep]
"ErrorControl"=dword:00000001
"Group"="Base"
"Start"=dword:00000001
"Tag"=dword:00000002
"Type"=dword:00000001
"kadfmmqr"=dword:00000001
"F96ZK6nPB"="YWxtYXh0cmFkaW5nLmluZm8="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\beep]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"="C:\\Program Files\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\Overdose.exe"="C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\Overdose.exe:*:Enabled:Painkiller Overdose"
"C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseEditor.exe"="C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseEditor.exe:*:Enabled:Painkiller Overdose Editor"
"C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseServer.exe"="C:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseServer.exe:*:Enabled:Painkiller Overdose Console Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"="C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"="C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe:*:Enabled:Hellgate: London"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe:*:Enabled:Pando Media Booster"
"C:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"="C:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe:*:Enabled:DOW2"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"="C:\\Program Files\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\ijji\\ENGLISH\\u_gunz.exe"="C:\\ijji\\ENGLISH\\u_gunz.exe:*:Enabled:<ijji Downloader>"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Program Files\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault"
"C:\\Program Files\\RayV\\RayV\\RayV.dll"="C:\\Program Files\\RayV\\RayV\\RayV.dll:*:Enabled:RayV"
"C:\\Program Files\\RayV\\RayV\\RayV.exe"="C:\\Program Files\\RayV\\RayV\\RayV.exe:*:Enabled:RayV"
"C:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"="C:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe:*:Enabled:lf2"
"C:\\Documents and Settings\\Ryan\\Application Data\\RayV\\Viewer\\RayV.dll"="C:\\Documents and Settings\\Ryan\\Application Data\\RayV\\Viewer\\RayV.dll:*:Enabled:RayV"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Curse\\CurseClient.exe"="C:\\Program Files\\Curse\\CurseClient.exe:*:Enabled:Curse Client"
"C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 25 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 23 Aug 2009 3,954 ...HR --- "C:\Documents and Settings\Ryan\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

The following files didn't even show up:

O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-N3829.exe" /REG
C:\WINDOWS\is-N3829.exe

The following file was "fixed" but continued to appear on deletion:

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

Doing the CC and malware now.

And my NOD32 just picked up the rustock and quarantined it again....

Malware:

Malwarebytes' Anti-Malware 1.40
Database version: 2743
Windows 5.1.2600 Service Pack 3

9/4/2009 6:48:32 PM
mbam-log-2009-09-04 (18-48-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 205417
Time elapsed: 47 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ryan\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:31 PM, on 9/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\Weee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.EXE /FU "C:\WINDOWS\TEMP\E_S566.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [RayV] C:\Program Files\RayV\RayV\RayV.exe /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1226637205401
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 8369 bytes

Hope this helps.

No need to quote my replies. Click the "Add reply" button at the very bottom right instead of the "Reply" button at the right of my post.

<Start/Run> type in cmd (enter)
At the black window prompt, type the following:

sc stop npggsvc (Enter)
sc delete npggsvc (Enter)
exit (Enter)

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Click on Fix Checked when finished and exit HijackThis.

Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Rename it to c-fix.exe
Double click c-fix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Disconnect from the internet (unplug the cable), close all windows and any program on your system tray, including your antivirus. Do not mouseclick or type anything while combofix is running. That may cause it to stall.

You can safely ignore warnings about not having the recovery console installed. Run it only once !

Post the combofix report along with a fresh HJT log.

Chris

Sorry for the giant log....didn't know what was needed:

ComboFix 09-09-04.02 - Ryan 09/05/2009 10:04.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2590 [GMT -7:00]
Running from: c:\documents and settings\Ryan\Desktop\C-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\dlinfo_0.drv
c:\windows\Installer\3c0897e.msp
c:\windows\Installer\4149e3.msi

----- BITS: Possible infected sites -----

hxxp://msxb-d1.vo.llnw.net:3074
.
((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-04 23:52 . 2009-09-05 00:29 -------- d-----w- C:\SDFix
2009-09-04 23:48 . 2009-09-04 23:48 -------- d-----w- c:\program files\Trend Micro
2009-09-04 15:34 . 2009-09-04 15:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-09-04 14:38 . 2009-09-04 14:38 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\ESET
2009-08-30 07:59 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-08-30 07:59 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-08-30 07:59 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-08-30 07:59 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-08-30 07:59 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-08-30 07:59 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-08-30 07:59 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-08-30 07:59 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-08-30 07:59 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-08-30 07:59 . 2008-10-10 11:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-08-30 07:59 . 2008-10-27 17:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2009-08-30 07:59 . 2008-10-27 17:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2009-08-30 07:58 . 2008-10-27 17:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-08-30 07:58 . 2008-10-27 17:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2009-08-30 03:35 . 2009-08-30 03:35 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\assembly
2009-08-30 03:34 . 2009-08-30 03:36 -------- d-----w- c:\program files\NCSoft
2009-08-23 11:06 . 2009-08-23 11:06 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-23 11:06 . 2009-08-23 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-22 00:09 . 2009-08-22 00:27 35190 ----a-w- c:\windows\scunin.dat
2009-08-22 00:09 . 2009-08-22 00:27 967 ----a-w- c:\windows\ScUnin.pif
2009-08-22 00:09 . 2009-08-22 00:27 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-22 00:07 . 2009-09-03 00:02 -------- d-----w- c:\program files\Starcraft
2009-08-21 23:15 . 2009-08-21 23:15 -------- d-----w- c:\documents and settings\Ryan\Application Data\DivX
2009-08-21 23:13 . 2009-07-14 00:17 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-08-21 23:13 . 2009-07-14 00:17 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-08-21 23:13 . 2009-08-21 23:14 -------- d-----w- c:\program files\DivX
2009-08-21 23:13 . 2009-08-21 23:13 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-21 04:42 . 2009-08-21 04:42 -------- d-----w- c:\program files\ESET
2009-08-21 04:42 . 2009-08-21 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-19 20:37 . 2009-08-19 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-17 10:04 . 2009-08-17 10:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 10:04 . 2009-08-17 10:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 10:03 . 2009-08-17 10:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 10:03 . 2009-08-17 10:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 10:03 . 2009-08-17 10:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 10:03 . 2009-08-17 10:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 10:03 . 2009-08-17 10:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 10:03 . 2009-08-17 10:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 10:03 . 2009-08-17 10:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 10:03 . 2009-08-17 10:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 10:03 . 2009-08-17 10:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 10:03 . 2009-08-17 10:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 10:02 . 2009-08-17 10:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 07:57 . 2009-08-17 07:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 07:57 . 2009-08-17 07:57 1597690 ----a-w- c:\windows\system32\nvdata.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 17:11 . 2009-05-05 12:15 -------- d-----w- c:\program files\DNA
2009-09-05 17:11 . 2009-05-05 12:15 -------- d-----w- c:\documents and settings\Ryan\Application Data\DNA
2009-09-05 17:11 . 2009-03-31 03:26 -------- d-----w- c:\program files\Steam
2009-09-05 17:11 . 2008-11-13 16:07 16608 ----a-w- c:\windows\gdrv.sys
2009-09-05 00:10 . 2009-07-03 21:27 -------- d-----w- c:\documents and settings\Ryan\Application Data\RayV
2009-09-05 00:01 . 2008-11-14 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 22:24 . 2008-11-29 12:09 -------- d-----w- c:\documents and settings\Ryan\Application Data\LimeWire
2009-09-01 16:10 . 2009-01-09 19:49 -------- d-----w- c:\program files\World of Warcraft
2009-08-30 03:34 . 2008-11-13 16:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 03:33 . 2009-01-05 07:53 -------- d-----w- c:\documents and settings\Ryan\Application Data\GetRightToGo
2009-08-25 02:00 . 2008-11-14 23:39 -------- d-----w- c:\program files\Warcraft III
2009-08-19 21:06 . 2009-08-02 03:47 -------- d-----w- c:\documents and settings\Ryan\Application Data\SPORE
2009-08-17 07:57 . 2009-02-18 21:44 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 07:57 . 2008-11-13 16:16 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 07:57 . 2008-05-03 03:16 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 07:57 . 2008-05-03 03:16 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 07:57 . 2008-05-03 03:16 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-17 07:57 . 2008-05-03 03:16 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 07:57 . 2008-05-03 03:16 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 07:57 . 2008-05-03 03:16 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 07:57 . 2008-05-03 03:16 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-12 19:34 . 2008-11-15 11:43 34 ----a-w- c:\documents and settings\Ryan\jagex_runescape_preferences.dat
2009-08-11 19:35 . 2008-11-13 16:16 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-06 09:36 . 2009-06-16 08:40 -------- d-----w- c:\program files\City of Heroes
2009-08-06 03:58 . 2009-08-06 03:58 -------- d-----w- c:\program files\Curse
2009-08-05 13:02 . 2008-11-14 23:42 78533 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:36 . 2008-11-14 04:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2008-11-14 04:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 13:21 . 2009-04-01 04:13 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-02 03:50 . 2009-07-09 03:56 -------- d-----w- c:\program files\Electronic Arts
2009-08-02 03:25 . 2008-12-26 19:19 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-31 20:31 . 2009-07-31 20:31 -------- d--h--r- c:\documents and settings\Ryan\Application Data\SecuROM
2009-07-31 06:50 . 2009-07-31 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-07-31 06:39 . 2009-04-02 04:57 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-30 06:34 . 2009-07-30 05:03 -------- d-----w- c:\documents and settings\Ryan\Application Data\Apple Computer
2009-07-30 06:28 . 2009-07-30 06:28 -------- d-----w- c:\program files\EV Nova
2009-07-30 05:03 . 2009-07-30 05:02 -------- d-----w- c:\program files\iTunes
2009-07-30 05:03 . 2009-07-30 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-30 05:02 . 2009-07-30 05:02 -------- d-----w- c:\program files\iPod
2009-07-30 05:02 . 2009-07-30 05:01 -------- d-----w- c:\program files\Common Files\Apple
2009-07-30 05:02 . 2009-07-30 05:02 -------- d-----w- c:\program files\Bonjour
2009-07-30 05:02 . 2009-07-30 05:02 -------- d-----w- c:\program files\QuickTime
2009-07-30 05:02 . 2009-07-30 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-30 05:02 . 2009-07-30 05:02 -------- d-----w- c:\program files\Apple Software Update
2009-07-30 05:01 . 2009-07-30 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-07-09 19:16 . 2009-07-30 05:01 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 19:16 . 2009-07-30 05:01 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 17:12 . 2009-07-09 17:12 -------- d-----w- c:\program files\LittleFighter2
2009-07-09 00:53 . 2008-11-24 04:23 16888 ----a-w- c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 01:23 . 2009-07-08 01:23 -------- d-----w- c:\program files\OGPlanet
2009-06-29 16:12 . 2008-04-14 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2008-04-14 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-04-14 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-11-13 15:58 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-14 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-10 1217784]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-05-05 342848]
"RayV"="c:\program files\RayV\RayV\RayV.exe" [2009-06-15 2471208]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"SaiVolume"="c:\program files\Saitek\CyborgKeyboard\SaiVolume.exe" [2008-01-19 126976]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2008-01-19 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2008-01-19 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Ryan\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\Overdose.exe"=
"c:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseEditor.exe"=
"c:\\Program Files\\DreamCatcher\\Painkiller Overdose\\Bin\\OverdoseServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Sega\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\RayV\\RayV\\RayV.dll"=
"c:\\Program Files\\RayV\\RayV\\RayV.exe"=
"c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"=
"c:\\Documents and Settings\\Ryan\\Application Data\\RayV\\Viewer\\RayV.dll"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11344:TCP"= 11344:TCP:BitCometLite 11344 TCP
"11344:UDP"= 11344:UDP:BitCometLite 11344 UDP
"15629:TCP"= 15629:TCP:BitCometLite 15629 TCP
"15629:UDP"= 15629:UDP:BitCometLite 15629 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"58074:TCP"= 58074:TCP:Pando Media Booster
"58074:UDP"= 58074:UDP:Pando Media Booster
"6112:TCP"= 6112:TCP:Warcraft 3
"6112:UDP"= 6112:UDP:Warcraft 3
"6113:TCP"= 6113:TCP:Warcraft 3
"6113:UDP"= 6113:UDP:Warcraft 3
"6114:TCP"= 6114:TCP:Warcraft 3
"6114:UDP"= 6114:UDP:Warcraft 3
"6115:TCP"= 6115:TCP:Warcraft 3
"6115:UDP"= 6115:UDP:Warcraft 3
"6116:TCP"= 6116:TCP:Warcraft 3
"6116:UDP"= 6116:UDP:Warcraft 3
"6117:TCP"= 6117:TCP:Warcraft 3
"6117:UDP"= 6117:UDP:Warcraft 3
"6118:TCP"= 6118:TCP:Warcraft 3
"6118:UDP"= 6118:UDP:Warcraft 3
"6119:TCP"= 6119:TCP:Warcraft 3
"6119:UDP"= 6119:UDP:Warcraft 3

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [11/13/2008 9:09 AM 80392]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [11/14/2008 3:59 PM 53307]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [12/19/2008 10:50 PM 457856]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [12/24/2008 5:27 PM 104960]
S3 XDva248;XDva248;\??\c:\windows\system32\XDva248.sys --> c:\windows\system32\XDva248.sys [?]
S3 XDva273;XDva273;\??\c:\windows\system32\XDva273.sys --> c:\windows\system32\XDva273.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-PlayNC Launcher - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\sp8xwaem.default\
FF - component: c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\sp8xwaem.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1085031214-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:d1,c6,7f,96,41,8d,d8,e1,1b,87,a4,49,c7,3d,6f,f5,6f,2a,8d,16,71,
6b,b3,68,5a,ad,cd,f8,18,08,d8,ac,ae,c5,6f,ad,98,81,56,b7,99,8d,62,df,fc,42,\
"rkeysecu"=hex:de,f4,12,88,e0,1d,48,13,03,ac,f3,4b,e9,8b,e2,1a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1792)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-09-05 10:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 17:15

Pre-Run: 201,062,088,704 bytes free
Post-Run: 200,913,637,376 bytes free

327 --- E O F --- 2009-08-30 10:00

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:02 AM, on 9/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Weee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [RayV] C:\Program Files\RayV\RayV\RayV.exe /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1226637205401
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7652 bytes

Well done. Looks clean now.

Are you still experiencing troubles with this system ?

Chris

According to my virus protection they still have the files qurantined. Should I delete those and risk them being quarantined again? Thats about it.

Quarantined files are harmless. You can safely remove them.

You can now uninstall ComboFix.
<Start/Run> type in combofix /u (Enter)
This will remove quarantined files and folders, thus avoiding future antivirus alerts about them.

update java: Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 15' or higher and press the 'Download' button.
Reboot when installed.
Uninstall any previous Java versions from Control Panel, add-remove programs afterward.

Disable/re-enable system restore to avoid future reinfections from restore points: http://www.bleepingcomputer.com/tutorials/tutorial56.html

Don't forget to create a new restore point just after.

Chris

So...delete java 6 update 4 and 7? Despite both of them being larger files than 16?

Yep ! Old JRE files are exploitable and may be a problem, so you must remove them all.

Chris

Well shortly after uninstalling the java files as instructed windows started giving me the message "USB Device not recognized" It doesn't pop up once though....it makes the annoying sound OVER and OVER again...and pops up the "for assistance with this problem, click this message" OVER and OVER.....

You may have uninstalled other Java api's... the only you should remove was outdated JRE files, not any others.

Did you restart your system after installing the new JRE update ?

What usb device is not being recognized ?

Chris

Note: I have just checked all my usb devices, pendrive, usb backup disk, digital camera and mobile phone. They are all working fine.

As you can see, I have only Java 6 update 16 installed.

Click to view attachment